Q003 — Linux Kernel Uses Bespoke CI; Others Unstudied — Assessment¶
Contents¶
The Linux kernel uses an extensive suite of domain-specific tools rather than standard SAST/SCA. CNCF allows project-level tool choice without mandating scanners. Three of five target projects (PostgreSQL, Node.js, CPython) were not adequately covered and require separate investigation.
Evidence Synthesis¶
Evidence quality: Medium — Linux kernel tooling is well-documented with authoritative primary sources (kernel.org docs, KernelCI). PostgreSQL, Node.js, and CPython CI tooling was not directly addressed by any fetched source. CNCF infrastructure documentation is available but high-level.
Source agreement: High — Sources agree that the Linux kernel uses domain-specific tools (Sparse, Smatch, Coccinelle, KernelCI) rather than commercial SAST. No source suggested these projects use or have adopted standard SAST/SCA tools.
Independence: The kernel testing overview (embeddedbits.org) and official kernel documentation (kernel.org) are independent perspectives converging on the same tooling inventory.
Probability Assessment¶
Confidence: Medium
Evidence Gaps¶
Expected but not found: - PostgreSQL CI infrastructure and quality tooling documentation. - Node.js CI infrastructure and quality tooling documentation. - CPython CI infrastructure and quality tooling documentation. - Documented cases of any of the five projects evaluating and rejecting CodeQL, Semgrep, or Trivy.
Unanswered questions: - Do PostgreSQL, Node.js, and CPython use standard SAST/SCA tools or bespoke tooling? - Have any of the five projects formally evaluated CodeQL or Semgrep and documented their findings? - Does Kubernetes use CodeQL, Trivy, or other standard scanning tools as part of its CI?
Impact on confidence: The incomplete coverage (only 1 of 5 projects well-documented) significantly limits confidence in generalizing the 'bespoke over standard' finding. The kernel is arguably the most extreme case — other projects may be more amenable to standard tools.