2023-04-19-static-code-analysis-in-git-doit-wps-show-and-tell.md

# Configuring git.doit static code analysis (SAST)

+ Live demo: turning on git.doit’s built-in static code analysis ("SAST": "Static Application Security Testing") on a repo.
  + [Configuring in `.gitlab-ci.yml`](https://git.doit.wisc.edu/-/snippets/318)
  + [Using the Shared Tools GitLab-CI Shared Runner](https://kb.wisc.edu/121471)
  + Resulting pipeline and job
  + Where to see the results
    + [Security dashboard](https://git.doit.wisc.edu/-/security/dashboard)
    + Gotcha: I had a hard time differentiating “analyzed and found no problems” from “did not analyze”.
      I’m pretty sure this is a GitLab usability shortcoming. But I’m open to learning this was a me thing.
+ "Detect bugs in any code with this one quick trick."
  + "bugs"
  + ["any"][sast supported languages]: .Net, Apex (Salesforce), Go, Groovy, Java, JavaScript, Node.js, PHP, Python, React, Ruby, Ruby on Rails, TypeScript, and more
+ What is static code analysis?
  + [Static Application Security Testing](https://git.doit.wisc.edu/help/user/application_security/sast/index)
+ Alternative ways to implement static code analysis
  + Tools abound
  + Linting
  + You can do a lot with this.
    + Lint prose?
      + “kids”
      + [Style Guide][UW-Madison Editorial Style Guide]
  + Commit hooks, push hooks
  + Tradeoffs: suggesting vs enforcing
    + Hot take: [Merge Requests are hazardous to team health][Pull Requests Considered Harmful]
      + Asynchronous vs synchronous collaboration
      + Delayed feedback, extra context switching
      + Merge your own merge request?
      + Context matters, of course.
      + [Trunk-based development][]
        + trunk as always releasable
    + Hotter take: There are no universally correct collaboration practices here,
      only practices and culture that work in specific contexts.
      + [Ship, Show, Ask][]
        + Q: "Should my team adopt this approach?" A: "You already have."
+ Going further than static code analysis
  + Building
  + Dynamic code analysis
  + Unit tests
  + Building and deploying branches
  + Functional tests
    + Robot / Selenium / Cypress.io
  + Penetration testing
+ Live demo reprise: you can try this out today.
  + Step 1: add [this gitlab-ci.yml](https://git.doit.wisc.edu/-/snippets/318)
  + Step 2: ~profit~ review results and see if you learn anything about your code

[sast supported languages]: https://docs.gitlab.com/ee/user/application_security/sast/#supported-languages-and-frameworks
[UW-Madison Editorial Style Guide]: https://editorial-styleguide.umark.wisc.edu/
[Trunk-based development]: https://trunkbaseddevelopment.com/5-min-overview/
[Pull Requests Considered Harmful]: https://franciscomt.medium.com/pull-requests-considered-harmful-c3a10af8becd
[Ship, Show, Ask]: https://martinfowler.com/articles/ship-show-ask.html