To add a new scan to codeanalyze, providing new enumeration capabilities to security operators everywhere, please see the adding a new capability page.

If you've just cloned codeanalyze for the first time, welcome to the community! We use Palantir's godel to streamline local development and goreleaser to handle the heavy lifting on the release process.

To get started with godel, you can run

./godelw verify

This will run a number of checks for us, including linters, tests, and license checks. We run this command as part of our CI pipeline to ensure the codebase is consistently passing tests.

We can use godel to build our CLI locally by running

./godelw build

You should see output in out/build/codeanalyze/<version>/<os>-<arch>/codeanalyze.

If you'd like to clean this output up, you can run

./godelw clean

We can use goreleaser locally as well to test our builds. As codeanalyze uses cosign to sign our artifacts and Docker containers during our CI pipeline, we'll want to skip this step when running locally.

goreleaser release --snapshot --clean --skip sign

This should output binaries, distributable tarballs/zips, as well as docker images to your local machine's Docker registry.