Configuration files for code analysis tools used on GOV.UK Pay repositories
This repository contains configuration files for a number of code analysis tools used to analyse GOV.UK Pay repositories. While individual repositories contain their own copies of these files, the ones here are the canonical ones. For the sake of consistency, changes should be made only to the files here and then copied to the other repositories.
| Tool | Description | File name | Applicable repositories |
|---|---|---|---|
| PMD | Cross-language code analyser | ruleset.xml | Any containing Java source code or non-generated XML files |
| Hadolint | Linter for Dockerfiles | .hadolint.yaml | Any containing Dockerfiles |
Codacy provides code analysis as a service. It runs code analysis tools like those listed above either on demand or as part of a build pipeline.
We have an organisation on Codacy called govuk-pay with a number of projects added to it.
For each project, Codacy has a Code patterns page, which allows us to choose which code analysis tools to run and how each tool is configured. By default, each tool is set to use the Tool pattern list option, which presents a list of patterns with checkboxes to enable or disable each one.
However, we prefer to use the Configuration file option, which makes Codacy look for an appropriate configuration file for the tool in the project root. This approach is more flexible because it allows us to easily use the same configuration for a tool whether it is run by Codacy or another method (such as on a developer’s own computer).
Codacy will only look for configuration files in the root of the project being analysed. Therefore, to use a configuration file, it has to be copied to the root of the target project. The files in this repository are named such that they will be picked up by Codacy if placed in the project root.
Note that Codacy does not appear to support the Configuration file option for all code analysis tools. See the I have my own tool configuration file section of Codacy’s Code Patterns help document for details of which tools can be used with the Configuration file option and what the configuration files need to be named.
GOV.UK Pay aims to stay secure for everyone. If you are a security researcher and have discovered a security vulnerability in this code, we appreciate your help in disclosing it to us in a responsible manner. Please refer to our vulnerability disclosure policy and our security.txt file for details.