New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Checklist-based repository reviews #1526

sqs opened this Issue Dec 20, 2018 · 1 comment


None yet
2 participants
Copy link

sqs commented Dec 20, 2018

As a security engineer performing a non-blocking review of an existing repository, I want to be able to define patterns to match potentially dangerous code and collaborate with other security engineers on reviewing matches in a repository. This will help us perform a thorough review more efficiently. It will also make it easier for us to monitor the repository on an ongoing basis and for the usual developers who maintain the repository to help keep the repository compliant.

I have a set of pattern definitions in JSON of the form {name, pattern, filePathPattern?, customMatcher?}. The customMatcher is an optional function or function ID (for well-known functions) that is called to post-filter pattern matches to reduce false positivs (e.g., the Shannon cross-entropy check to only match high-entropy strings).

For any given repository, I want to see a list of all matches of these patterns. Each match should be able to be checked off individually, and it should record which user checked it (and when). I want to be able to add comments on the match if needed (using code discussions), and the presence of comments on the match should be visible on the list of matches.

If, after I've checked off a match, a new commit is pushed to the repository, I want it to "do the right thing". This means resetting the checked-off state if the matched line(s) changed (but still match a pattern), or keeping the checked-off state if the matched line(s) did not change.

Background on security code reviews:


Requested by @P3GLEG

@sqs sqs added this to the Backlog milestone Dec 20, 2018

@sqs sqs self-assigned this Dec 20, 2018


This comment has been minimized.

Copy link

lguychard commented Dec 20, 2018

"Feeding a list of patterns to a Sourcegraph extensions" is essentially done in For now, this only allows goto def/ref, but it could easily highlight the matches while browsing the code view as well, and search for matches in a given repository (once we extend the extension API to support augmenting repository overview / repository list views, and not just code views). Maybe a good starting point?

@sqs sqs removed the plan label Jan 29, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment