Static analysis enables us to find (some) dangerous programming patterns. After a POC with CodeQL against Cucumber-Ruby and Cucumber-JVM we surfaced some interesting findings. So it is worth rolling out this to more projects seems worth while.
Unfortunately, enabling CodeQL in the Cucumber Ecosystem isn't trivial. With a relatively slow build process, frequent renovate updates and limited runners using the default settings results in CI getting swamped. So we should take care to:
- The CodeQL scan should run against relevant changes only.
- Each language has it's own CodeQL workflow.
Enable for:
Static analysis enables us to find (some) dangerous programming patterns. After a POC with CodeQL against Cucumber-Ruby and Cucumber-JVM we surfaced some interesting findings. So it is worth rolling out this to more projects seems worth while.
Unfortunately, enabling CodeQL in the Cucumber Ecosystem isn't trivial. With a relatively slow build process, frequent renovate updates and limited runners using the default settings results in CI getting swamped. So we should take care to:
Enable for: