Run Static Code Analysis on 100% of Commits

### **Description**

The [OpenSSF Scorecard](https://scorecard.dev/viewer/?uri=github.com%2Fscanapi%2Fscanapi) identified that **static code analysis (SAST)** is not currently being run on all commits in the ScanAPI repository.

Running SAST tools on every commit helps detect potential vulnerabilities early in the development process and ensures consistent code quality and security coverage across the project.

---

### **📊 Scorecard Findings**

<img width="412" height="176" alt="Image" src="https://github.com/user-attachments/assets/0e9082d8-f69c-4e6a-900f-f72d91a99a95" />

<details>
<summary>Raw Output</summary>

```
Reason
SAST tool is not run on all commits -- score normalized to 7
Details
Warn: 23 commits out of 29 are checked with a SAST tool
```

</details>

---

### **✅ Tasks**

* [ ] Ensure static analysis runs on **every commit and pull request**, not just selectively.
* [ ] Review and, if needed, integrate tools such as **CodeQL**, **Bandit**, or other SAST solutions.
* [ ] Update CI workflows to enforce static analysis checks in all relevant pipelines.
* [ ] Re-run the OpenSSF Scorecard check to confirm full SAST coverage.

---

### **🔗 References**

* [OpenSSF Scorecard Report](https://scorecard.dev/viewer/?uri=github.com%2Fscanapi%2Fscanapi)
* [SAST Check Documentation](https://github.com/ossf/scorecard/blob/f542d69ba0cd01fcff1cc4395b9780f2476af14d/docs/checks.md#sast)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Run Static Code Analysis on 100% of Commits #835

Description

📊 Scorecard Findings

✅ Tasks

🔗 References

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

Run Static Code Analysis on 100% of Commits #835

Description

Description

📊 Scorecard Findings

✅ Tasks

🔗 References

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions