Skip to content

Commit 859a97d

Browse files
wip
1 parent 11848d6 commit 859a97d

11 files changed

Lines changed: 128 additions & 332 deletions

.github/workflows/deploy-pages.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -32,3 +32,4 @@ jobs:
3232
id-token: write
3333
contents: write
3434
pull-requests: write
35+
actions: write

.github/workflows/pr.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,13 +19,15 @@ on:
1919
push:
2020
branches:
2121
- main
22+
- dev
2223
merge_group:
2324
types: [checks_requested]
2425
release:
2526
types: [created]
2627

2728
permissions:
2829
contents: read
30+
actions: write
2931

3032
jobs:
3133
docs-build:

docs/explanation/01-source-code-infrastructure.md

Lines changed: 0 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -49,8 +49,6 @@ Organization-level repository state is still managed centrally. Desired settings
4949

5050
*Infrastructure for managing and synchronizing repository policies such as branch protection, and application thereof at scale. (Otterdog)*
5151

52-
**S-CORE**
53-
5452
Repository policy covers the organization-level settings that govern how repositories behave: branch protection rules, required status checks, merge strategies, and which GitHub Actions are allowed to run. The infrastructure concern is not each individual rule but the system that makes policy intent explicit, reviewable, and enforceable at scale rather than hidden in per-repository admin pages.
5553

5654
In S-CORE, policy intent is expressed centrally via the infrastructure-as-code tool [otterdog](https://otterdog.readthedocs.io/en/latest/userguide/) in the [S-CORE configuration file](https://github.com/eclipse-score/.eclipsefdn/blob/main/otterdog/eclipse-score.jsonnet). That makes policy changes reviewable as pull requests and exceptions explicit rather than silent. The same mechanism can restrict which GitHub Actions are allowed to run in the organization — an important supply-chain concern because third-party actions execute with the permissions of the workflow that calls them. An allowlist strategy classifies actions as approved, under review, or blocked, and the enforcement mechanism should prevent unapproved actions from running rather than merely warning about them.
@@ -73,8 +71,6 @@ S-CORE has the beginnings of central standards but has not yet closed the loop t
7371

7472
*Define standard project metadata such as LICENSE, README, and governance files.*
7573

76-
**S-CORE**
77-
7874
Metadata expectations exist, but rollout is not yet complete across repositories. Discoverability and governance depend on consistent metadata being present and kept current.
7975

8076
For Bazel modules, [eclipse-score/module_template](https://github.com/eclipse-score/module_template) partially addresses this by giving new repositories a common starting set of metadata and governance files instead of requiring each maintainer to assemble them from scratch. That is useful as a bootstrap baseline, but it only covers repositories that fit the template and it does not by itself keep existing repositories aligned over time.

docs/explanation/04-testing-infrastructure.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -162,7 +162,7 @@ graph LR
162162

163163
ITF is structured across three Bazel modules. `score_itf` is the open-source core (plugin contract, Bazel rules, pytest integration). Private or proprietary plugins live in separate repositories (e.g. `vsps_itf_plugins` for ETAS-internal targets) and are consumed via `git_override` or `archive_override` in the test consumer's `MODULE.bazel`. This separation means the open-source core can evolve independently from private plugin implementations.
164164

165-
For traceability, the attribute plugin provides an `@add_test_properties` decorator that writes metadata such as `fully_verifies`, `test_type`, and `derivation_technique` into JUnit XML output. This connects ITF test results to the traceability model described in [section 4.2](#test-traceability).
165+
For traceability, the attribute plugin provides an `@add_test_properties` decorator that writes metadata such as `fully_verifies`, `test_type`, and `derivation_technique` into JUnit XML output. This connects ITF test results to the traceability model described in [section 4.2](#test-execution-dynamic-analysis).
166166

167167
**Biggest gap**: the ITF plugin model and capability system are established, but onboarding guidance for module teams adopting ITF is still thin. The Bazel-side integration for passing traceability metadata from build targets into the attribute plugin is not yet streamlined.
168168

Lines changed: 14 additions & 70 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
# 5 Code Analysis Infrastructure
1+
# 5 Code Analysis Infrastructure 🔴
22

33
:::{tip} Looking for practical guides?
44
This chapter is part of the infrastructure landscape assessment. For step-by-step how-tos and quick references, see the [How-to Guides](../how-to/index.md).
@@ -18,47 +18,47 @@ This chapter has not been fully reviewed. Content may be incomplete or inaccurat
1818
- Dependency alerts, supply-chain analysis of dependency sets, and continuous SBOM monitoring belong in [chapter 6](06-compliance-infrastructure.md), not here.
1919
- **Biggest gap**: code analysis is not yet defined and governed as one cross-repository capability with shared tooling, rule baselines, and ownership expectations.
2020

21-
## 5.1 Tooling Baseline
21+
## 5.1 Tooling Baseline 🔴
2222

2323
*Defining which static analysis tools are approved, recommended, or required for different S-CORE repository types and languages.*
2424

2525
- Code analysis in S-CORE includes linters, type/interface analyzers, style and import checks, and security-oriented analyzers where appropriate.
2626
- Tool choice is currently influenced by language ecosystems, repository classes, and existing engineering practice.
2727
- **Biggest gap**: no explicit cross-repository baseline defines which analyzers are expected by default for C++, Rust, Python, and workflow or documentation assets.
2828

29-
### 5.1.1 C++
29+
### 5.1.1 C++ 🔴
3030

3131
*Static analysis tooling for C++ repositories.*
3232

3333
C++ has the most developed policy infrastructure in S-CORE today. The `score_cpp_policies` module provides a reusable Bazel-integrated rule baseline covering compiler warnings, clang-tidy checks, and formatting expectations. Because policy is decoupled from the toolchain, repositories can adopt updated rule baselines independently of compiler version upgrades. The security-oriented analysis layer for C++ is covered by CodeQL, described in [section 5.4.1](#sast).
3434

3535
**Biggest gap**: the `score_cpp_policies` baseline and its expected adoption scope are not yet documented in a shared, accessible form. Deviation from the baseline is not governed.
3636

37-
### 5.1.2 Rust
37+
### 5.1.2 Rust 🔴
3838

3939
*Static analysis tooling for Rust repositories.*
4040

4141
Rust has native linting via Clippy and formatting via rustfmt, both of which integrate naturally with `rules_rust` in a Bazel build. The `score_rust_policies` module packages shared Clippy and rustfmt configuration as a reusable Bazel module, following the same separation of policy from toolchain used by the C++ path. In practice, Clippy is already used in several Rust repositories but the shared policy baseline is not uniformly adopted.
4242

4343
**Biggest gap**: Clippy and rustfmt configuration exists in individual repositories, but the shared `score_rust_policies` baseline and its required adoption scope are not yet clearly defined or enforced.
4444

45-
### 5.1.3 Python
45+
### 5.1.3 Python 🟠
4646

4747
*Static analysis tooling for Python repositories.*
4848

4949
Python analysis in S-CORE is less standardized than C++ or Rust. Ruff covers linting and formatting in a single fast tool, while mypy or pyright can provide type checking where type annotations are present. Pre-commit integration already runs some checks in development environments, but CI-enforced shared baselines for Python are not in place.
5050

5151
**Biggest gap**: no shared Bazel-integrated or CI-enforced Python analyzer baseline exists across S-CORE repositories.
5252

53-
### 5.1.4 Workflow and Configuration Assets
53+
### 5.1.4 Workflow and Configuration Assets 🟠
5454

5555
*Applying analysis to GitHub Actions workflows and YAML configuration.*
5656

5757
GitHub Actions workflow files, YAML configuration, and Bazel `BUILD` files benefit from automated inspection independently of product code. Tools such as actionlint (for workflow files) and yamllint cover the most impactful targets here. Pre-commit runs some of these locally, but CI enforcement for workflow and configuration analysis is not yet a defined part of the S-CORE baseline.
5858

5959
**Biggest gap**: no shared CI-enforced baseline for workflow and configuration asset analysis exists across S-CORE repositories.
6060

61-
### 5.1.5 Documentation Assets
61+
### 5.1.5 Documentation Assets 🔴
6262

6363
*Applying analysis to documentation sources such as reStructuredText, Markdown, and prose.*
6464

@@ -69,7 +69,7 @@ Documentation repositories and repositories with significant prose content benef
6969

7070
---
7171

72-
## 5.2 Shared Rule Configuration
72+
## 5.2 Shared Rule Configuration 🔴
7373

7474
*Managing analyzer rules, severities, suppressions, and versioning as shared infrastructure instead of ad-hoc repository detail.*
7575

@@ -78,15 +78,15 @@ Documentation repositories and repositories with significant prose content benef
7878

7979
In the current S-CORE repository landscape, these shared rules are increasingly packaged as separate policy modules rather than being folded into toolchain repositories. That is why repositories such as `score_rust_policies` and `score_cpp_policies` belong to this chapter's perspective, while `toolchains_rust` and `bazel_cpp_toolchains` belong to [chapter 3](03-build-infrastructure.md#toolchain-management). The important architectural rule is that consumers should be able to adopt shared lint, warning, and formatting baselines without having to change compiler versions or Bazel toolchain registration at the same time. When such a policy also exposes selectable runtime-oriented features such as sanitizers, [chapter 4](04-testing-infrastructure.md#sanitizers-runtime-checks) still owns why and when those checks are executed; this chapter owns only the reusable rule baseline.
8080

81-
### 5.2.1 Baseline Rulesets
81+
### 5.2.1 Baseline Rulesets 🔴
8282

8383
*Defining centrally maintained defaults for analyzer configuration.*
8484

8585
- Central baselines should define default enabled checks, severity handling, and common exclusions.
8686
- Baselines should be reusable in templates, synchronized configuration, or shared workflow inputs.
8787
- **Biggest gap**: there is no visible authoritative baseline for static-analysis rules across S-CORE repositories.
8888

89-
### 5.2.2 Overrides and Suppressions
89+
### 5.2.2 Overrides and Suppressions 🔴
9090

9191
*Allowing repository-specific exceptions without losing visibility or governance.*
9292

@@ -96,31 +96,7 @@ In the current S-CORE repository landscape, these shared rules are increasingly
9696

9797
---
9898

99-
## 5.3 Execution Model ⚪
100-
101-
*Defining where and how the shared static-analysis capability should be executed across the engineering flow.*
102-
103-
- Static analysis should be executable in multiple contexts, especially local development and CI, without redefining analyzer baselines per context.
104-
- Different execution contexts can use different subsets or frequencies, but they should all derive from the same shared rules and ownership model.
105-
- **Biggest gap**: there is no documented execution model that cleanly separates shared analyzer policy from local and CI-specific delivery.
106-
107-
### 5.3.1 Local Execution Expectations
108-
109-
*Defining what static analysis should provide before code reaches CI.*
110-
111-
- Contributors should be able to run the shared analyzer baseline early enough to catch common issues before opening or updating a pull request.
112-
- Local execution should favor fast feedback and alignment with the centrally defined ruleset, while the delivery details for shared environments, editor usage, and pre-commit belong in [chapter 2](02-developer-environment.md).
113-
- **Biggest gap**: local execution expectations are not yet defined independently of specific tools such as devcontainers, IDEs, or pre-commit hooks.
114-
115-
### 5.3.2 CI Execution Expectations
116-
117-
*Defining what CI should enforce from the shared static-analysis capability.*
118-
119-
- CI should execute the agreed shared analyzer baseline in a consistent, review-visible way and use its outcomes for merge decisions where appropriate.
120-
- The workflow, reporting, and branch-protection mechanics belong in [chapter 7](07-automation-integration.md), not in the code-analysis capability definition itself.
121-
- **Biggest gap**: CI enforcement expectations are not yet clearly separated from workflow implementation details.
122-
123-
### 5.3.3 Incremental Adoption
99+
## 5.3 Incremental Adoption 🔴
124100

125101
*Rolling out stronger analyzer baselines without blocking repository progress all at once.*
126102

@@ -137,7 +113,7 @@ In the current S-CORE repository landscape, these shared rules are increasingly
137113
- This chapter is the canonical home for shared tooling, rule configuration, and execution boundaries that are common across analyzer types.
138114
- **Biggest gap**: the boundary between quality-oriented analyzers and security scanning is not yet described clearly enough to avoid duplication and ownership gaps.
139115

140-
### 5.4.1 SAST 🟠
116+
### 5.4.1 SAST 🔴
141117

142118
*Static application security testing for S-CORE code and configuration.*
143119

@@ -147,40 +123,8 @@ A useful SAST configuration has three layers. The query suite defines which vuln
147123

148124
**Biggest gap**: SAST-specific configuration and required security-gate policies are not yet standardized across repositories. CodeQL query suite selection and severity thresholds vary between repositories.
149125

150-
### 5.4.2 Secret Scanning 🟠
126+
### 5.4.2 Secret Scanning 🟡
151127

152128
*Detecting secrets inadvertently committed to S-CORE repositories.*
153129

154-
- GitHub secret scanning detects common credential patterns in repository history and ongoing changes.
155-
- **Biggest gap**: custom secret patterns and push-protection configuration are not uniformly enabled.
156-
157-
### 5.4.3 Repository Configuration Security
158-
159-
*Inspecting workflows and repository configuration for risky patterns before they become incidents.*
160-
161-
- Infrastructure repositories depend heavily on workflow configuration, permissions, and automation wiring, so configuration-level analysis is a meaningful part of code-analysis security scanning.
162-
- **Biggest gap**: configuration-oriented security analysis is not yet described as part of a shared S-CORE baseline.
163-
164-
---
165-
166-
## 5.5 Results and Governance ⚪
167-
168-
*Managing findings, conformance visibility, and analyzer evolution across repositories.*
169-
170-
- Code-analysis infrastructure should provide visibility into adoption, drift, and findings without forcing every repository to invent its own process.
171-
- Governance includes rule changes, false-positive handling, technical-debt baselines, and measurement of conformance to shared expectations.
172-
- **Biggest gap**: no cross-repository reporting and governance loop currently shows which repositories run which analyzers, with what deviations and outcomes.
173-
174-
### 5.5.1 False Positives and Baselines
175-
176-
*Handling existing findings and noisy rules in a controlled way.*
177-
178-
- Migration to stronger analyzers often needs temporary baselines or approved suppressions so repositories can improve incrementally.
179-
- **Biggest gap**: there is no shared approach for introducing analyzers into repositories with existing finding backlogs.
180-
181-
### 5.5.2 Cross-Repository Visibility
182-
183-
*Measuring adoption and conformance of static-analysis standards across S-CORE.*
184-
185-
- Cross-repository reporting should show baseline adoption, exceptions, and required-check coverage, not just individual CI job output.
186-
- **Biggest gap**: no common dashboard or conformance report currently summarizes static-analysis coverage across S-CORE.
130+
GitHub secret scanning detects common credential patterns in repository history and ongoing changes.

0 commit comments

Comments
 (0)