Q003 — CI Tooling in Major OSS Projects — Reading List

Contents

• Must Read
• Reference

Must Read

• Checking Linux's Code With Static Analysis Tools
• The New Stack, quoting Shuah Khan (Linux Foundation Fellow, kernel maintainer) · June 2, 2021
• Linux kernel maintainer discusses the kernel's four bespoke static analysis tools (Sparse, Smatch, Coccinelle, checkpatch.pl) and why kernel-specific tools are preferred over general-purpose SAST.
• Why read: The most detailed and authoritative source on why a major project builds bespoke tools rather than adopting standard scanners; directly addresses the central question.

Reference

• Cfbot - PostgreSQL Wiki
• PostgreSQL community
• Describes cfbot, PostgreSQL's commitfest CI bot that applies patches and runs CI tests.
• Why read: Provides evidence of PostgreSQL's bespoke CI infrastructure, though thin on detail about security tooling choices.

← Back to item overview