Contents
Summary
Query: Among well-resourced open source projects (Linux kernel, PostgreSQL, Node.js, Kubernetes, Python CPython), what CI and quality enforcement tooling do they actually run, and why do they build bespoke tooling rather than adopting standard commercial or open-source SAST/SCA scanners like CodeQL, Semgrep, and Trivy? Is there evidence that these tools are considered inadequate, too noisy, or inapplicable to large-scale projects?
Bottom Line: Direct evidence was found primarily for the Linux kernel and partially for PostgreSQL. The kernel uses four bespoke static analysis tools (checkpatch.pl, Sparse, Smatch, Coccinelle) integrated with the kernel Makefile rather than standard SAST tools. False positives and lack of kernel-specific semantics are cited by kernel maintainer Shuah Khan as primary reasons. PostgreSQL uses cfbot for bespoke patch-review CI. Evidence for Node.js, Kubernetes, and CPython was not found in this investigation. The pattern of building bespoke tooling is well-documented for the kernel but extrapolated to other projects.
Results
| Artifact |
Description |
| Input |
Original text, clarification, scope, vocabulary |
| Assessment |
Evidence synthesis, probability assessment, gaps |
| Self-Audit |
Process audit across 4 ROBIS domains |
| Reading List |
Prioritized source list |
Searches
| ID |
Target |
Returned |
Selected |
| S01 |
Linux kernel CI and static analysis tooling |
0 |
0 |
| S02 |
PostgreSQL CI and quality enforcement tooling |
0 |
0 |
| S03 |
Node.js, Kubernetes, and CPython CI tooling |
? |
? |
| S04 |
Node.js, Kubernetes, and CPython CI tooling |
? |
? |
| S05 |
Reasons large projects build bespoke tooling or reject stand |
? |
? |
| S06 |
Node.js, Kubernetes, and CPython CI tooling |
? |
? |
Sources
| ID |
Title |
Reliability |
Relevance |
| SRC001 |
https://mir.cs.illinois.edu/marinov/publications/HiltonETAL1 |
High |
High |
| SRC002 |
https://arxiv.org/html/2602.14572v3 |
High |
High |
| SRC003 |
https://www.blackduck.com/blog/open-source-trends-ossra-repo |
High |
High |
| SRC004 |
https://www.scworld.com/news/open-source-vulnerabilities-per |
Medium |
High |
| SRC005 |
https://www.sonatype.com/state-of-the-software-supply-chain/ |
High |
High |
| SRC006 |
https://www.sonatype.com/press-releases/sonatypes-10th-annua |
High |
High |
| SRC007 |
https://www.chainguard.dev/unchained/wolfis-upstream-securit |
Medium |
High |
| SRC008 |
https://github.com/ossf/scorecard |
High |
High |
| SRC009 |
https://blog.jetbrains.com/teamcity/2025/10/the-state-of-cic |
Medium |
Medium |
| SRC010 |
https://arxiv.org/html/2409.07669v2 |
High |
High |
| SRC011 |
https://www.pixee.ai/blog/sast-false-positives-reduction |
Medium |
High |
| SRC012 |
https://thenewstack.io/checking-linuxs-code-with-static-anal |
High |
High |
| SRC013 |
https://www.sonatype.com/state-of-the-software-supply-chain/ |
High |
High |
Evidence Snapshot
| Dimension |
Rating |
| Evidence quality |
Medium |
| Source agreement |
Medium |
Revisit Triggers
- [data_update] Kubernetes CI infrastructure (Prow/Tide) documentation or blog posts discussing security scanning adoption are published or found.
- [study] CPython's GitHub Actions CI workflows are analyzed for security tooling presence.
- [data_update] Node.js publishes documentation on their CI infrastructure and security scanning practices.
- [event] Any of the five named projects adopts CodeQL, Semgrep, or another standard SAST tool, which would contradict the bespoke-tooling pattern.
- [study] An academic study comparing false-positive rates of general-purpose SAST vs. project-specific tools on large codebases is published.
← Back to run overview