Google Git
Sign in
fuchsia / shac-project / shac / e41b94339422e81f5f3df023ac768e90a6129d97
commite41b94339422e81f5f3df023ac768e90a6129d97[log] [tgz]
authorOliver Newman <olivernewman@google.com>Fri Sep 01 05:53:46 2023 +0000
committerCQ Bot <fuchsia-internal-scoped@luci-project-accounts.iam.gserviceaccount.com>Fri Sep 01 05:53:46 2023 +0000
treec813f3c2ecd5eb5a108ba71aefe5987131a3398f
parentd59a7dbb51268a336eb1df47eaaa683d9ec8a7f9 [diff]
[engine] Remove restriction on executable paths

An executable with path "foo.sh" relative to a shac.star file can now be
run with `ctx.os.exec(["foo.sh"])`, whereas previously it had to be
`ctx.os.exec(["./foo.sh"])`, with "./" necessary to bypass $PATH-based
resolution.

Now $PATH-based resolution will only occur if the executable does not
exist in the repository root.

Change-Id: I64faf5baebbb7e87bf8048e9bfbc914706e985d2
Reviewed-on: https://fuchsia-review.googlesource.com/c/shac-project/shac/+/910615
Fuchsia-Auto-Submit: Oliver Newman <olivernewman@google.com>
Commit-Queue: Auto-Submit <auto-submit@fuchsia-infra.iam.gserviceaccount.com>
Reviewed-by: Anthony Fandrianto <atyfto@google.com>
1 file changed
tree: c813f3c2ecd5eb5a108ba71aefe5987131a3398f
  1. .github/
  2. checks/
  3. cmd/
  4. doc/
  5. images/
  6. internal/
  7. scripts/
  8. vendor/
  9. .gitignore
  10. AUTHORS
  11. codecov.yml
  12. CONTRIBUTING.md
  13. go.mod
  14. go.sum
  15. LICENSE
  16. main.go
  17. OWNERS
  18. PATENTS
  19. README.md
  20. shac.star
  21. shac.textproto
README.md

shac

Shac (Scalable Hermetic Analysis and Checks) is a unified and ergonomic tool and framework for writing and running static analysis checks.

Shac checks are written in Starlark.

usage demonstration

Usage

go install go.fuchsia.dev/shac-project/shac@latest
shac check
shac doc shac.star | less

Documentation

Road map

Planned features/changes, in descending order by priority:

  • [x] Configuring files to exclude from shac analysis in shac.textproto
  • [x] Include unstaged files in analysis, including respecting unstaged shac.star files
  • [x] Automatic fix application with handling for conflicting suggestions
  • [ ] Provide a .shac cache directory that checks can write to
  • [ ] Mount checkout directory read-only
    • [x] By default
    • [ ] Unconditionally
  • [ ] Give checks access to the commit message via ctx.scm
  • [ ] Built-in formatting of Starlark files
  • [ ] Configurable “pass-throughs” - non-default environment variables and mounts that can optionally be passed through to the sandbox
  • [ ] Add glob arguments to ctx.scm.{all,affected}_files() functions for easier filtering
  • [ ] Filesystem sandboxing on MacOS
  • [ ] Windows sandboxing
  • [ ] Testing framework for checks

Contributing

⚠ The source of truth is at https://fuchsia.googlesource.com/shac-project/shac.git and uses Gerrit for code review.

See CONTRIBUTING.md to submit changes.