For the list of current findings from pipelines see meta-sca report
- Purpose
- Getting started
- Installation
- Web monitor
- Support
- Licensing
- Zero impact
- Available tools
- Further documentation
- Contributing
Purpose of this layer is to provide a proper set of static analysis tools for your YOCTO build. All provided tools can be easily configured and integrated into any CI service (like e.g. Jenkins).
All results are stored to SCA_EXPORT_DIR (which defaults to ${DEPLOY_DIR_IMAGE}/sca). The results will be stored in the raw-format of the corresponding tool and in checkstyle-format.
For a quick start how to use this layer see getting started guide
To install clone the needed branch(es) to any path on your local system.
- You need the current standard poky-layer installed onto your local build environment.
- You need at least python 3.5 to be installed on your build host.
- You need glib-2.0-dev package installed on your build host (used for e.g. configcheck, lynis, tiger, upc)
It is recommended to use privkweihmann/yocto-sca-minimal:latest
docker container for building, which has all necessary requirements already installed.
When you're planing to use meta-sca in your CI/CD, it is advised to use the minified layer meta-sca-minified to save you from cloning this fairly large repository.
NOTE meta-sca-minified only offer releases of this layer for releases made after 03/2020
In your bblayers.conf-file add the following line
BBLAYERS += "<full path to sca-layer>/meta-sca"
or with poky layer already setup run in shell
bitbake-layers add-layer "<full path to sca-layer>/meta-sca"
To make the integration of clang (clang-tidy) work you need to add the meta-clang layer to your bblayer-file.
To enable the php/lua/npm support you need to add the meta-oe layer to your bblayer-file.
To enable the ruby support you need to add the meta-rubygems layer to your bblayer-file.
If you're not quite convinced what this layer can do for you, have a look at the web monitor, where all findings from the layer CI pipelines are publically available.
Actively maintained branches will receive feature and package updates according to the release cycle. Unmaintained branches will only receive package updates on demand.
Status of the branches is described at SECURITY.md.
It's advised to use the tagged source versions in productive environment.
You can expect a new tagged build every 4-6 weeks for every actively maintained branch. Planning is done by milestone features on GitHub.
See SECURITY.md for details
If there is a technical issue that might break backward compatibility it will be mentioned in release note of the corresponding milestone release.
This layer does only provide open source tools. The layer itself is licensed under BSD.
If individual files are licensed under different terms, terms and conditions can be found in the individual file header
This layer provides only -native tools, so actually none of the build binaries will be deployed to your target. Everything happens on the build machine.
There are some excludes to this rule (e.g. lynis) as they need to be cross-compiled to make use of them, nevertheless none of these tools will be installed automatically to your build.
The layer can check on a recipe-level or on an image-level.
- On image-level the whole root-filesystem could be taken into account, which in most cases can't be granted on a recipe-level.
- On the other hand some static code analysis does not make any sense on an image-level - so this layer does have different tools for both level available.
Module | Description | Homepage | Requires | Requires inet | Run on image | Run on recipe | C | C++ | Python | Shell | Javascript | PHP | Go | Images | LUA | Spelling | Metrics | Binaries | Packages | Other formats | Security scope | Functional scope | Style scope |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
alexkohler | Suite of GO analysis tools | https://github.com/alexkohler | x | x | x | ||||||||||||||||||
ansible | Hardening of images with ansible | x | x | x | |||||||||||||||||||
ansiblelint | Linter for ansible playbooks | https://github.com/ansible/ansible-lint | x | x | x | x | x | x | |||||||||||||||
bandit | Scan python code for insecurities | https://github.com/PyCQA/bandit | x | x | x | x | |||||||||||||||||
bashate | Shell script linter | http://docs.openstack.org/developer/bashate/ | x | x | x | x | x | ||||||||||||||||
bitbake | Bitbake issue handling | x | x | x | x | x | |||||||||||||||||
cbmc | C Bounded Model Checker | https://github.com/diffblue/cbmc/ | x | x | x | x | |||||||||||||||||
checkbashisms | Shell script linter | https://manpages.debian.org/jessie/devscripts/checkbashisms.1.en.html | x | x | x | x | x | ||||||||||||||||
checksec | check on security issues | https://github.com/slimm609/checksec.sh | x | x | x | ||||||||||||||||||
clang | C/C++ linter using LLVM | https://clang.llvm.org/extra/clang-tidy/ | meta-clang, manual enable | x | x | x | x | ||||||||||||||||
cmake | Get cmake errors and warnings | x | x | x | x | ||||||||||||||||||
configcheck | Check application configurations | x | x | x | |||||||||||||||||||
cppcheck | C/C++ linter | https://github.com/danmar/cppcheck | x | x | x | x | x | x | |||||||||||||||
cpplint | C/C++ linter | https://github.com/cpplint/cpplint | x | x | x | x | x | x | |||||||||||||||
cspell | Spelling linter | https://github.com/Jason3S/cspell | meta-oe, manual enable | x | x | x | x | ||||||||||||||||
cvecheck | Check for unpatched CVEs | https://github.com/clearlinux/cve-check-tool | manual enable | x | x | x | x | ||||||||||||||||
darglint | Python docstring linter | https://github.com/terrencepreilly/darglint | x | x | x | ||||||||||||||||||
dennis | I18N linter | https://github.com/willkg/dennis/ | x | x | x | x | |||||||||||||||||
detectsecrets | Detect hardcoded secrets in code | https://github.com/Yelp/detect-secrets | x | x | x | x | x | ||||||||||||||||
eslint | Javascript linter | https://github.com/eslint/eslint | meta-oe, manual enable | x | x | x | x | x | |||||||||||||||
flake8 | Python linter | http://flake8.pycqa.org/en/latest/ | x | x | x | x | x | ||||||||||||||||
flawfinder | C/C++ security linter | https://github.com/david-a-wheeler/flawfinder | x | x | x | x | |||||||||||||||||
flint | C/C++ linter | https://github.com/JossWhittle/FlintPlusPlus | x | x | x | x | |||||||||||||||||
gcc | GCC compiler issues and hardening | x | x | x | x | x | |||||||||||||||||
goconsistent | make your Go programs more consistent | https://github.com/quasilyte/go-consistent | x | x | x | ||||||||||||||||||
goconst | Find variables that could be constants in GO files | https://github.com/jgautheron/goconst | x | x | x | ||||||||||||||||||
golicensecheck | Scan code for license information | https://github.com/go-enry/go-license-detector | x | x | x | ||||||||||||||||||
golint | GO linter | https://github.com/golang/lint | x | x | x | ||||||||||||||||||
gosec | GO security linter | https://github.com/securego/gosec | x | x | x | ||||||||||||||||||
htmlhint | HTML linter | https://github.com/htmlhint/HTMLHint | meta-oe, manual enable | x | x | x | x | x | |||||||||||||||
image-summary | Aggregate all findings for package in an image | x | x | x | x | x | |||||||||||||||||
inspec | framework for end-to-end infrastructure tests | https://github.com/inspec/inspec | meta-oe, meta-rubygems, manual enable | x | x | x | |||||||||||||||||
it | Python linter | https://github.com/thg-consulting/it | x | x | x | ||||||||||||||||||
jshint | Javascript linter | https://github.com/jshint/jshint | meta-oe, manual enable | x | x | x | x | x | x | ||||||||||||||
jsonlint | JSON file linter | x | x | x | x | ||||||||||||||||||
kconfighard | Kernel config hardening checker | https://github.com/a13xp0p0v/kconfig-hardened-check | x | x | x | ||||||||||||||||||
licensecheck | Scan code for license information | https://github.com/boyter/lc | x | x | x | ||||||||||||||||||
looong | Find functions with too long arglists | https://github.com/anapaulagomes/looong | x | x | x | ||||||||||||||||||
lse | check on security issues | https://github.com/diego-treitos/linux-smart-enumeration | x | x | x | ||||||||||||||||||
luacheck | LUA linter | https://github.com/mpeterv/luacheck | meta-oe, manual enable | x | x | x | x | ||||||||||||||||
lynis | Auditing tool for images | https://github.com/CISOfy/lynis | x | x | x | ||||||||||||||||||
msgcheck | I18n linter | https://github.com/codingjoe/msgcheck | x | x | x | ||||||||||||||||||
multimetric | Coding metrics | https://github.com/priv-kweihmann/multimetric | manual enable | x | x | x | x | x | x | x | x | x | x | x | |||||||||
mypy | Python linter | https://github.com/python/mypy | x | x | x | x | |||||||||||||||||
nixauditor | Auditing tool for images | https://github.com/XalfiE/Nix-Auditor | x | x | x | ||||||||||||||||||
npmaudit | NPM package auditor | https://docs.npmjs.com/cli/audit | meta-oe, manual enable | x | x | x | x | ||||||||||||||||
oelint | Bitbake recipe linter | https://github.com/priv-kweihmann/oelint-adv | x | x | x | x | |||||||||||||||||
perl | Perl warnings check | x | x | x | |||||||||||||||||||
perlcritic | Perl linter | https://metacpan.org/pod/perlcritic | x | x | x | ||||||||||||||||||
phan | PHP linter | https://github.com/phan/phan | meta-oe, manual enable | x | x | x | x | ||||||||||||||||
phpcodefixer | Find deprecated PHP functions | https://github.com/wapmorgan/PhpCodeFixer | meta-oe, manual enable | x | x | x | x | ||||||||||||||||
phpcodesniffer | PHP Js and CSS linter | https://github.com/squizlabs/PHP_CodeSniffer | meta-oe, manual enable | x | x | x | |||||||||||||||||
phpmd | PHP Linter | https://github.com/phpmd/phpmd | meta-oe, manual enable | x | x | x | x | x | |||||||||||||||
phpsecaudit | Find vulnerabilities in PHP code | https://github.com/FloeDesignTechnologies/phpcs-security-audit | meta-oe, manual enable | x | x | x | x | ||||||||||||||||
phpstan | PHP linter | https://github.com/phpstan/phpstan | meta-oe, manual enable | x | x | x | x | ||||||||||||||||
pkgqaenc | Enhanced package QA | x | x | x | |||||||||||||||||||
proselint | Spelling and text linter | https://github.com/amperser/proselint/ | x | x | x | x | |||||||||||||||||
protolint | Lint protobuf files | https://github.com/yoheimuta/protolint | x | x | x | x | |||||||||||||||||
pscan | Find insecure printfs | http://deployingradius.com/pscan/ | x | x | x | ||||||||||||||||||
pyfindinjection | Find SQL injections in python code | https://github.com/uber/py-find-injection | x | x | x | x | |||||||||||||||||
pylint | Python linter | https://github.com/PyCQA/pylint | x | x | x | x | x | ||||||||||||||||
pyright | Python type linter | https://github.com/Microsoft/pyright | meta-oe, manual enable | x | x | x | x | ||||||||||||||||
pysymcheck | Check binaries for forbidden function usage | https://github.com/priv-kweihmann/pysymbolcheck | x | x | x | ||||||||||||||||||
pytype | Python linter using type-annotations | https://github.com/google/pytype | x | x | x | x | |||||||||||||||||
rats | Check on insecurities in several languages | https://github.com/redNixon/rats | x | x | x | x | x | x | |||||||||||||||
reconbf | security audit tool | https://github.com/HewlettPackard/reconbf | x | x | x | ||||||||||||||||||
reek | Code smell detector for Ruby | https://github.com/troessner/reek | meta-rubygems, manual enable | x | x | x | |||||||||||||||||
retire | Check for known vulnerabilities in javascript and NPM | https://retirejs.github.io/retire.js/ | meta-oe, manual enable | x | x | x | x | x | |||||||||||||||
reuse | Scan code for license information | https://github.com/fsfe/reuse-tool | x | x | x | ||||||||||||||||||
revive | GO linter | https://github.com/mgechev/revive | x | x | x | x | |||||||||||||||||
ropgadget | Determine ROP exploitability in binaries | https://github.com/JonathanSalwan/ROPgadget | manual enable | x | x | x | |||||||||||||||||
rubycritic | Ruby linter | https://github.com/whitesmith/rubycritic/ | meta-rubygems, manual enable | x | x | x | |||||||||||||||||
safety | Check for known vulnerabilities in python-packages | https://github.com/pyupio/safety | x | x | x | x | |||||||||||||||||
scancode | Scan code for license information | https://github.com/nexB/scancode-toolkit | x | x | x | ||||||||||||||||||
secretlint | Tool to prevent committing credential | https://github.com/secretlint/secretlint | meta-oe, manual enable | x | x | x | x | ||||||||||||||||
semgrep | Pattern based linting for many formats and languages | https://github.com/returntocorp/semgrep | only avaiable for x86-64 hosts | x | x | x | x | x | x | x | x | x | |||||||||||
setuptoolslint | Lint python-setup.py | https://github.com/johnnoone/setuptools-pylint | x | x | x | ||||||||||||||||||
shellcheck | Shell script linter | https://github.com/koalaman/shellcheck | x | x | x | x | x | ||||||||||||||||
slick | Shell script linter | https://github.com/mcandre/slick | x | x | x | x | |||||||||||||||||
sparse | C linter | https://sparse.wiki.kernel.org/index.php/Main_Page | x | x | x | ||||||||||||||||||
standard | Javascript linter | https://github.com/standard/standard | meta-oe, manual enable | x | x | x | x | x | x | ||||||||||||||
stank | Shell script linter | https://github.com/mcandre/stank | x | x | x | x | x | ||||||||||||||||
stylelint | CSS/SCSS linter | https://github.com/stylelint/stylelint | meta-oe, manual enable | x | x | x | x | ||||||||||||||||
sudokiller | check on sudo | https://github.com/TH3xACE/SUDO_KILLER | x | x | x | ||||||||||||||||||
systemdlint | Systemd unit linter | https://github.com/priv-kweihmann/systemdlint | x | x | x | x | x | x | |||||||||||||||
textlint | Spelling and text linter | https://github.com/textlint/textlint | meta-oe, manual enable | x | x | x | x | ||||||||||||||||
tiger | security audit and intrusion detection tool | http://www.nongnu.org/tiger/ | x | x | x | ||||||||||||||||||
tlv | Find duplicate code | https://github.com/priv-kweihmann/tlv | manual enable | x | x | x | x | x | x | x | x | x | x | ||||||||||
tscancode | C and lua linter | https://github.com/Tencent/TscanCode | x | x | x | ||||||||||||||||||
upc | check for simple privilege escalation vectors | https://github.com/pentestmonkey/unix-privesc-check | x | x | x | ||||||||||||||||||
vulture | Find dead python code | https://github.com/jendrikseipp/vulture | x | x | x | x | |||||||||||||||||
wotan | Typescript/javascript linter | https://github.com/fimbullinter/wotan | meta-oe, manual enable | x | x | x | x | x | x | ||||||||||||||
xmllint | XML linter | http://xmlsoft.org/xmllint.html | x | x | x | x | |||||||||||||||||
yamllint | YAML linter | https://github.com/adrienverge/yamllint | x | x | x | x | |||||||||||||||||
yara | Find suspicious pattern in binaries | https://github.com/VirusTotal/yara | x | x | x |
each tool does have it's own benefits and flaws so don't be mad if you have 10k+ findings on the initial run.
- Global Configuration
- Blacklisting sources
- Configuration wizard
- Custom severity
- Enable SCA locally/globally
- Fatal findings
- Filter findings
- Filter out files to check
- Output formats
- Suppress findings
- Trace source files
- Tools
- alexkohler
- ansible
- ansiblelint
- bandit
- bashate
- bitbake
- cbmc
- checkbashism
- checksec
- clang
- cmake
- configcheck
- cppcheck
- cpplint
- cspell
- cvecheck
- darglint
- dennis
- detectsecrets
- eslint
- flake8
- flawfinder
- flint++
- gcc
- goconsistent
- goconst
- golicensecheck
- golint
- gosec
- htmlhint
- inspec
- it
- jshint
- jsonlint
- kconfighard
- licensecheck
- looong
- lse
- luacheck
- lynis
- msgcheck
- multimetric
- mypy
- nixauditor
- npmaudit
- oelint
- perl
- perlcritic
- phan
- phpcodefixer
- phpcodesniffer
- phpmd
- phpsecaudit
- phpstan
- pkgqaenc
- proselint
- protolint
- pscan
- pyfindinjection
- pylint
- pyright
- pysymcheck
- pytype
- rats
- reconbf
- reek
- retire
- reuse
- revive
- ropgadget
- rubycritic
- safety
- scancode
- secretlint
- semgrep
- setuptoolslint
- shellcheck
- slick
- sparse
- standard
- stank
- stylelint
- sudokiller
- systemdlint
- textlint
- tiger
- tlv
- tscancode
- upc
- vulture
- wotan
- xmllint
- yamllint
- yara
- Extra modes
- Configuration Examples
- Results
- Build system integration
- Control via command-line
- SCA bot
- Jenkins integration
- Application notes
- Case studies
Please see the detailed contribution guideline for details
To get involved following things can be done
- create an issue
- fix an issue and create a pull request
- see the pinned issues in the bugtracker
For the project's security policy please see here