CI static analysis #15

Closed
opened 2026-06-12 20:27:47 +00:00 by james · 0 comments
Owner

Lint + typecheck are already in #13. This ticket adds deeper analysis.

Scope

  • typescript-eslint strict rule set on top of the base ESLint config.
  • A Semgrep ruleset for common JS/TS bug patterns (untrusted-input flows, dangerous APIs).
  • Runs on PR; finding above threshold fails the check.

Acceptance criteria

  • A planted unsafe pattern (e.g. eval, raw-string SQL concatenation) trips the check in a throwaway branch.
  • Findings are surfaced in the PR output clearly.

Part of epic #2. Depends on #13.

Lint + typecheck are already in #13. This ticket adds deeper analysis. ## Scope - `typescript-eslint` strict rule set on top of the base ESLint config. - A Semgrep ruleset for common JS/TS bug patterns (untrusted-input flows, dangerous APIs). - Runs on PR; finding above threshold fails the check. ## Acceptance criteria - [ ] A planted unsafe pattern (e.g. `eval`, raw-string SQL concatenation) trips the check in a throwaway branch. - [ ] Findings are surfaced in the PR output clearly. Part of epic #2. Depends on #13.
james closed this issue 2026-06-14 13:16:31 +00:00
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
james/carol#15
No description provided.