[wp-trac] [WordPress Trac] #56785: Automatically catch potential security issues before release
WordPress Trac
noreply at wordpress.org
Tue Oct 11 01:27:46 UTC 2022
#56785: Automatically catch potential security issues before release
-------------------------+-----------------------------
Reporter: iandunn | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version:
Severity: normal | Keywords:
Focuses: |
-------------------------+-----------------------------
It's much less effort to fix a security bug before it makes it into a
release, and that also prevents users from being impacted. Automated tools
are notoriously noisy, but have gotten better over the years, so it may be
worth considering.
I recently tested out [https://sonarcloud.io/ SonarCloud] and it seems
like it could be a good fit. It primarily focuses on new PRs/commits,
which is much more manageable than tools that report a backlog of false
positives.
It can comment on PRs with a report, and we could setup permissions so
that any committer could dismiss false positives while reviewing. It
could also scan (the GitHub mirror of) `trunk`, for commits that don't use
the PR workflow. The ruleset can be customized, so we can only focus on
security issues.
I'm not partial to any particular tool, though; are there others that
folks like? I just noticed [https://resources.github.com/security/tools
/ghas-trial/ GitHub is trialing a static analyzer], but haven't tried it.
If there are several good contenders, we could experiment with a few and
then weigh the tradeoffs.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/56785>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list