Q003 — CI Tooling in Major OSS Projects — Input

Contents

• Original Text
• Clarified for Testability
• Embedded Assumptions Surfaced
• Scope
• Vocabulary Map

Original Text

Among well-resourced open source projects (Linux kernel, PostgreSQL, Node.js, Kubernetes, Python CPython), what CI and quality enforcement tooling do they actually run, and why do they build bespoke tooling rather than adopting standard commercial or open-source SAST/SCA scanners like CodeQL, Semgrep, and Trivy? Is there evidence that these tools are considered inadequate, too noisy, or inapplicable to large-scale projects?

Clarified for Testability

For the following well-resourced, large-scale open source projects — Linux kernel, PostgreSQL, Node.js, Kubernetes, and Python (CPython) — what CI and quality enforcement tooling do they actually use in their development workflows? Specifically: (a) Do they use commercial or standard open-source SAST tools (CodeQL, Semgrep, SonarQube) and SCA tools (Trivy, Snyk, Dependabot)? (b) If not, what bespoke or project-specific tooling have they built instead, and why? (c) Is there documented evidence (mailing list discussions, conference talks, issue tracker discussions) that standard SAST/SCA tools are considered inadequate, too noisy (high false-positive rates), or fundamentally inapplicable to these large-scale codebases?

Embedded Assumptions Surfaced

• Assumes these five projects are representative of 'well-resourced' OSS projects.
• Assumes these projects have actively evaluated and rejected standard SAST/SCA tools, rather than simply not considered them.
• Assumes 'bespoke tooling' means custom-built alternatives, not just configuration of existing tools.
• Assumes documented rationale exists for tooling choices in these projects.

Scope

Dimension	Value
Domain	Software engineering — CI tooling choices in large-scale open source projects
Timeframe	2020-2025
Testability	Answerable through examining each project's CI configuration, documentation, mailing list archives, and contributor discussions about tooling decisions.

Vocabulary Map

Primary Terms: Linux kernel CI, PostgreSQL CI, Node.js CI, Kubernetes CI, CPython CI, bespoke tooling, SAST inadequacy

Domain Variants: custom linting, project-specific analysis, in-house static analysis, homegrown CI tools

Related Concepts: Coccinelle, sparse, smatch, kernelCI, patchwork, Prow, CI/CD at scale, CodeQL, Semgrep, Trivy

← Back to item overview