Skip to content

Static Code Analysis during CI/CD Pipeline

This probably belongs in the CI-CD pipelines board.

Requirements

  • Java code needs to pass through a static code analysis tool.
  • Infrastructure code needs to pass through a static code analysis tool.
  • Third party / open source code libraries that are used need to be scanned for vulnerabilities and for compatible open source licenses.

Operator Input

  • Chevron lists this as a requirement
  • Shell lists this as a requirement
  • ExxonMobil lists this as a requirement
  • BP lists this as a requirement

Definition of Done

  • Code is scanned as a standard set of tests during the standard pipeline build
  • Security tests failing can cause the build to fail
Edited by Paco Hope (AWS)
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information