Static Code Analysis during CI/CD Pipeline

This probably belongs in the CI-CD pipelines board.

Requirements

• Java code needs to pass through a static code analysis tool.
• Infrastructure code needs to pass through a static code analysis tool.
• Third party / open source code libraries that are used need to be scanned for vulnerabilities and for compatible open source licenses.

Operator Input

• Chevron lists this as a requirement
• Shell lists this as a requirement
• ExxonMobil lists this as a requirement
• BP lists this as a requirement

Definition of Done

• Code is scanned as a standard set of tests during the standard pipeline build
• Security tests failing can cause the build to fail