Google Git
Sign in
fuchsia / shac-project / shac / c359648c94352b2e746c340df5a5b2814a4961fb
commitc359648c94352b2e746c340df5a5b2814a4961fb[log] [tgz]
authorOliver Newman <olivernewman@google.com>Thu Jul 20 14:58:21 2023 +0000
committerCQ Bot <fuchsia-internal-scoped@luci-project-accounts.iam.gserviceaccount.com>Thu Jul 20 14:58:21 2023 +0000
tree63a92e1da7b504bc248b5d1855f9968facaabdac
parent83402f069e0e917b9a38f027b89f276bbe96f484 [diff]
[engine] Implement `shac fix`

It runs all checks just like `shac check`, but then applies all
suggested fixes that have `level="error"` and exactly one suggested
replacement.

There are a few UX issues that will need fixing in follow-up changes:
- It silently skips applying fixes for any findings that overlap with
  earlier findings that also have fixes applied. We should at the very
  least emit a warning when this happens, if not rerun the checks to
  regenerate the suggested fixes and apply them until there are no
  conflicts.
- The command-line output is simplistic and inconsistent in styling with
  the output of `shac check`
- It applies fixes from all checks, even though the vast majority of the
  time people will probably only care to apply fixes from formatters.

Change-Id: I9b924b9c16e26d093fb91b070af62068717bb5cc
Reviewed-on: https://fuchsia-review.googlesource.com/c/shac-project/shac/+/879282
Commit-Queue: Oliver Newman <olivernewman@google.com>
Fuchsia-Auto-Submit: Oliver Newman <olivernewman@google.com>
Reviewed-by: Marc-Antoine Ruel <maruel@google.com>
14 files changed
tree: 63a92e1da7b504bc248b5d1855f9968facaabdac
  1. .github/
  2. doc/
  3. images/
  4. internal/
  5. scripts/
  6. vendor/
  7. .gitignore
  8. AUTHORS
  9. check_doc.star
  10. codecov.yml
  11. CONTRIBUTING.md
  12. go.mod
  13. go.star
  14. go.sum
  15. LICENSE
  16. licenses.star
  17. main.go
  18. OWNERS
  19. PATENTS
  20. README.md
  21. shac.star
  22. shac.textproto
README.md

shac

Shac (Scalable Hermetic Analysis and Checks) is a unified and ergonomic tool and framework for writing and running static analysis checks.

Shac checks are written in Starlark.

usage demonstration

Usage

go install go.fuchsia.dev/shac-project/shac@latest
shac check
shac doc shac.star | less

Documentation

Road map

Planned features/changes, in descending order by priority:

  • [x] Configuring files to exclude from shac analysis in shac.textproto
  • [x] Include unstaged files in analysis, including respecting unstaged shac.star files
  • [x] Automatic fix application with handling for conflicting suggestions
  • [ ] Provide a .shac cache directory that checks can write to
  • [ ] Mount checkout directory read-only
    • [x] By default
    • [ ] Unconditionally
  • [ ] Give checks access to the commit message via ctx.scm
  • [ ] Built-in formatting of Starlark files
  • [ ] Configurable “pass-throughs” - non-default environment variables and mounts that can optionally be passed through to the sandbox
  • [ ] Add glob arguments to ctx.scm.{all,affected}_files() functions for easier filtering
  • [ ] Filesystem sandboxing on MacOS
  • [ ] Windows sandboxing
  • [ ] Testing framework for checks

Contributing

⚠ The source of truth is at https://fuchsia.googlesource.com/shac-project/shac.git and uses Gerrit for code review.

See CONTRIBUTING.md to submit changes.