Static Code Analysis during CI/CD Pipeline
This probably belongs in the CI-CD pipelines board.
- Java code needs to pass through a static code analysis tool.
- Infrastructure code needs to pass through a static code analysis tool.
- Third party / open source code libraries that are used need to be scanned for vulnerabilities and for compatible open source licenses.
- Chevron lists this as a requirement
- Shell lists this as a requirement
- ExxonMobil lists this as a requirement
- BP lists this as a requirement
Definition of Done
- Code is scanned as a standard set of tests during the standard pipeline build
- Security tests failing can cause the build to fail
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information