Skip to content

Latest commit

 

History

History
34 lines (23 loc) · 1.43 KB

File metadata and controls

34 lines (23 loc) · 1.43 KB

Contributing

code-signal uses the same branch discipline as RandomCodeSpace/codeiq.

Branch strategy

  • main is protected and must stay releasable.
  • Use short-lived feature branches for changes.
  • Open a pull request into main; do not merge directly once branch protection is active.
  • Keep history linear. Prefer squash merge for PRs.
  • Use conventional commit subjects: feat:, fix:, refactor:, test:, docs:, chore:.

Required checks

Before opening or merging a PR, run:

go test ./...
go vet ./...
go run ./cmd/scanner scan .

CI runs the fuller gate: Go tests, race detector, staticcheck, gosec, govulncheck, OSS security scanners, duplication scan, SBOM generation, OpenSSF Scorecard, and a scanner self-check.

Test policy

Any behavior change must include tests that exercise the observable contract. For scanner rules, add positive and negative cases. For aggregate report behavior, assert the aggregate counters and ensure no file paths, snippets, line numbers, columns, clone groups, or per-file findings are emitted.

Design constraints

  • Built-in analyzers only. Do not add runtime plugin execution or dependency on project-local tools.
  • No telemetry, update checks, remote rule downloads, package installs, or network calls from scanner-owned runtime code.
  • Keep reports aggregate-only.
  • Preserve exit-code policy: completed scans and diffs exit 0; CLI/config/git/runtime/output errors are non-zero.