Precaution provides simple, automated code reviews for GitHub projects by running code linters with a security focus on all pull requests.
GitHub integration is made through the GitHub app interface and the checks API (beta), which allows results to be presented directly as inline annotations instead of a pass/fail status report.
Precaution currently supports analysis of python files via Bandit and go files via Gosec. New languages may be added in future.
- Documentation: vmware/precaution/docs
- Source: vmware/precaution
- Bugs: vmware/precaution/issues
-
You can install Precaution from here: https://github.com/apps/precaution
-
Then choose the profile you want to connect Precaution with.
-
Next you have to choose which repositories you want to enable Precaution on.
-
Review and accept the permissions for the GitHub app. These are the minimal permissions required to read the pull request contents and communicate with the checks API.
-
Done! Now Precaution is installed on your repositories.
- Initial setup
- False positives and how to handle them
- Setting up a manual deployment
- Debugging with VSCode
- Architecture
The Precaution project team welcomes contributions from the community. Before you start working with Precaution, please read our Developer Certificate of Origin. All contributions to this repository must be signed as described on that page. Your signature certifies that you wrote the patch or have the right to pass it on as an open-source patch. For more detailed information, refer to CONTRIBUTING.md.
BSD-2 License
If you have any other questions which are not addressed in the docs or README, reach out to us in the #precaution channel on Slack.