I think this may have been mentioned on github already, (forgive me if this is a dupe), but is it worth adding Qubes to codecov, (or an alt), which automatically scans for bugs and displays a nice badge on the (github) readme, (see this),?.
Codecov say they are free for open-source. I don’t think it requires any special perms to the repo/compromises security - unless I’ve overthunk it.
This seems like a really simple way to potentially catch security bugs before they become nasty.
Codacy is a no-go, (AWS), unless we can get self-hosted, (enterprise option); I have asked about pricing and will review the terms when they get in touch: (‘a few hours’).
Snyk, (there website is sooo slow - but their sales reps were so quick lol), have a ‘container’ option but appears to be networked atm, they are going to update me.EDIT: no on-premise solution, (container phones home).
While searching for synopsys (whom don’t give much away), I found sourcegraph whom look promising. They have options for open-source/non-profit so I have sent an email and I’m awaitng a response.
Checkmarx apparently have on-premise, but they are a tad like synopsys in keeping their cards close - awaiting response.
So, synopsys. Not looking great, (DRM video for sales lol), and they wanted me to hand over all my data to the devil to contact sales - so I decided not to bother.
Places like that pull request are also where I’ve seen it in use in this project, but I don’t know much about it beyond that. Perhaps @fepitre or @marmarek might be able to say more.
Indeed, I don’t think it’s documented. That’s probably on someone’s decades-long to-do list.