-
Notifications
You must be signed in to change notification settings - Fork 0
Enforcing Code Quality and Security
To enforce code quality and security rules defined in Quality Gates, we plan to use the functionality provided by GitHub.
GitHub provides continuous integration and deployment features called GitHub Actions. We will utilize this feature to check whether the committed code builds, and to execute static analysis on them.
We plan to use SonarCloud for measuring code quality and code security (see) as well as enforcing the secure coding standards (see).
SonarCloud integrates with GitHub (see) in a manner that it provides feedback on code quality and security (as well as badges) for each commit and pull request. The review on pull requests is also emitted as a status check which can be used to block the merging of pull requests until the issues are fixed.
The master branch can only contain code that passes the Quality Gate. To enforce this rule, we will use GitHub's branch protection rules in the following manner:
Code can only be merged to the master branch, if:
- The SonarCloud status check passes
- The pull request was reviewed and approved by at least one person, who did not contributed to the pull request.
We will utilize GitHub's Dependabot, that is able to analyze the dependencies of our project (by integrating with Gradle and Maven), and check the dependencies whether they are outdated, or contain well-known security flaws. If such dependency is found, Dependabot notifies the developers, and if a new version of the insecure dependency is released, creates a pull request updating the dependency automatically.
© Grotesque Gecko, 2020
- Functional Requirements and Use Cases
- Security Requirements and Objectives
- Threat Assessment
- Quality Gates
- Chosen Technologies
- Required Security Functionalities
- Structural Model of the System
- Behavioral Model of the System