Q003 — Linux Kernel Uses Bespoke CI; Others Unstudied — Medium
Contents
Summary
Query: Among well-resourced open source projects (Linux kernel, PostgreSQL, Node.js, Kubernetes, Python CPython), what CI and quality enforcement tooling do they actually run, and why do they build bespoke tooling rather than adopting standard commercial or open-source SAST/SCA scanners like CodeQL, Semgrep, and Trivy? Is there evidence that these tools are considered inadequate, too noisy, or inapplicable to large-scale projects?
Bottom Line: The Linux kernel uses an extensive suite of domain-specific tools rather than standard SAST/SCA. CNCF allows project-level tool choice without mandating scanners. Three of five target projects (PostgreSQL, Node.js, CPython) were not adequately covered and require separate investigation.
Results
| Artifact |
Description |
| Input |
Original text, clarification, scope, vocabulary |
| Assessment |
Evidence synthesis, probability assessment, gaps |
| Self-Audit |
Process audit across 4 ROBIS domains |
| Reading List |
Prioritized source list |
Searches
| ID |
Target |
Returned |
Selected |
| S01 |
Linux kernel CI and quality tooling ecosystem |
? |
? |
| S02 |
Linux kernel CI and quality tooling ecosystem |
? |
? |
| S03 |
PostgreSQL, Node.js, and CPython CI tooling |
? |
? |
| S04 |
Kubernetes CI and CNCF security tooling infrastructure |
? |
? |
| S05 |
Standard SAST/SCA tool limitations at scale |
? |
? |
| S06 |
PostgreSQL, Node.js, and CPython CI tooling |
? |
? |
Sources
| ID |
Title |
Reliability |
Relevance |
| SRC001 |
https://mir.cs.illinois.edu/marinov/publications/HiltonETAL1 |
High |
High |
| SRC002 |
https://decan.lexpage.net/files/SANER-2022a.pdf |
High |
High |
| SRC003 |
https://www.sciencedirect.com/science/article/abs/pii/S01641 |
High |
High |
| SRC004 |
https://blog.jetbrains.com/teamcity/2026/03/best-ci-tools/ |
Medium |
Medium |
| SRC005 |
https://www.chainguard.dev/unchained/wolfis-upstream-securit |
Medium |
High |
| SRC006 |
https://www.scworld.com/news/open-source-vulnerabilities-per |
Medium |
High |
| SRC007 |
https://www.sonatype.com/state-of-the-software-supply-chain/ |
Medium |
High |
| SRC008 |
https://arxiv.org/html/2409.07669v2 |
High |
High |
| SRC009 |
https://www.pixee.ai/blog/sast-false-positives-reduction |
Medium |
High |
| SRC010 |
https://embeddedbits.org/how-is-the-linux-kernel-tested-embe |
Medium |
High |
| SRC011 |
https://www.kernel.org/doc/html/v6.5/dev-tools/testing-overv |
High |
High |
| SRC012 |
https://arxiv.org/html/2605.07900v1 |
High |
High |
| SRC013 |
https://www.nist.gov/news-events/news/2026/04/nist-updates-n |
High |
High |
| SRC014 |
https://www.moderne.ai/blog/security-dependency-updates-unma |
Medium |
High |
| SRC015 |
https://contribute.cncf.io/resources/services/hosted-tools/ |
High |
Medium |
| SRC016 |
https://www.linuxfoundation.org/research/maintainer-perspect |
High |
High |
Evidence Snapshot
| Dimension |
Rating |
| Evidence quality |
Medium |
| Source agreement |
High |
Revisit Triggers
- [study] PostgreSQL, Node.js, or CPython CI tooling is investigated in a follow-up research run covering the missing three projects.
- [study] A study documents CodeQL or Semgrep adoption among the top 100 or top 1000 most-contributed-to open source projects.
- [policy] CNCF mandates specific security scanning tools for graduated projects, creating a measurable baseline.
- [data_update] GitHub publishes data on CodeQL adoption among projects with >100 contributors, providing large-project adoption rates.
- [event] The Linux kernel begins using CodeQL, Semgrep, or another standard SAST tool alongside its bespoke tools.
← Back to run overview