Contrib.social

Run a static application security test (SAST) as part of core CI

Open on Drupal.org β†’
Created on 1 April 2025, 5 days ago

Problem/Motivation

Drupal does not currently have a static application security test (SAST) as part of its automated testing. While the results of SAST can require some human review, they can be a good way to gain confidence and catch bugs in a codebase. This is a strong practice recommended by the Open Source Security Foundation (see also πŸ“Œ Get an Open Source Security Foundation badge for Drupal (core? contrib?) Needs review ).

The initial run of any tool will likely create a lengthy report. We'll want a tool where we can configure or train it to ignore false positives. Any true positives will have to follow the normal coordinated vulnerability disclosure process. Then if we run it periodically before releasing any valid vulnerabilities it finds the issues can be fixed in public.

Steps to reproduce

Proposed resolution

  1. We need to pick a tool. Some options:
    1. nuclei
    2. ...add more here...

    2. Then implement it.

    Remaining tasks

    Picking a tool.
    Implementing it.

πŸ“Œ Task
Status

Active

Version

1.0

Component

Code

Created by

πŸ‡ΊπŸ‡ΈUnited States greggles Denver, Colorado, USA

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024