code-signal uses the same branch discipline as RandomCodeSpace/codeiq.
mainis protected and must stay releasable.- Use short-lived feature branches for changes.
- Open a pull request into
main; do not merge directly once branch protection is active. - Keep history linear. Prefer squash merge for PRs.
- Use conventional commit subjects:
feat:,fix:,refactor:,test:,docs:,chore:.
Before opening or merging a PR, run:
go test ./...
go vet ./...
go run ./cmd/scanner scan .CI runs the fuller gate: Go tests, race detector, staticcheck, gosec, govulncheck, OSS security scanners, duplication scan, SBOM generation, OpenSSF Scorecard, and a scanner self-check.
Any behavior change must include tests that exercise the observable contract. For scanner rules, add positive and negative cases. For aggregate report behavior, assert the aggregate counters and ensure no file paths, snippets, line numbers, columns, clone groups, or per-file findings are emitted.
- Built-in analyzers only. Do not add runtime plugin execution or dependency on project-local tools.
- No telemetry, update checks, remote rule downloads, package installs, or network calls from scanner-owned runtime code.
- Keep reports aggregate-only.
- Preserve exit-code policy: completed scans and diffs exit
0; CLI/config/git/runtime/output errors are non-zero.