Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
Checklist-based repository reviews #1526
As a security engineer performing a non-blocking review of an existing repository, I want to be able to define patterns to match potentially dangerous code and collaborate with other security engineers on reviewing matches in a repository. This will help us perform a thorough review more efficiently. It will also make it easier for us to monitor the repository on an ongoing basis and for the usual developers who maintain the repository to help keep the repository compliant.
I have a set of pattern definitions in JSON of the form
For any given repository, I want to see a list of all matches of these patterns. Each match should be able to be checked off individually, and it should record which user checked it (and when). I want to be able to add comments on the match if needed (using code discussions), and the presence of comments on the match should be visible on the list of matches.
If, after I've checked off a match, a new commit is pushed to the repository, I want it to "do the right thing". This means resetting the checked-off state if the matched line(s) changed (but still match a pattern), or keeping the checked-off state if the matched line(s) did not change.
Background on security code reviews:
Requested by @P3GLEG
"Feeding a list of patterns to a Sourcegraph extensions" is essentially done in https://github.com/lguychard/sourcegraph-configurable-references. For now, this only allows goto def/ref, but it could easily highlight the matches while browsing the code view as well, and search for matches in a given repository (once we extend the extension API to support augmenting repository overview / repository list views, and not just code views). Maybe a good starting point?