OpenScanHub and Packit: Fully automated static analysis of RPM-based distributions CentOS Connect

What if detecting bugs and vulnerabilities in RPM-based distributions could be seamless and fully automated? OpenScanHub is a service for static and dynamic code analysis. It was internally used inside Red Hat to scan releases of RHEL for more than a decade and was open-sourced in 2023. OpenScanHub can fully automatically scan RPMs and has the ability to do differential scans that helps in finding bugs that may be introduced on package updates and new distribution releases. By default, it supports static analyzers embedded in GCC, Cppcheck, ShellCheck, find-unicode-control, Clippy and is extensible to support other analyzers. It can collect reports from various analyzers at a single place to make it easy to analyze them. OpenScanHub was recently integrated with Packit, a CI/CD solution for automating RPM package builds, tests, and distribution releases. This new integration performs differential scans on pull requests, so potential bugs may be found during the pull request review process and would not be introduced into the codebase. In this talk, we will share ideas about how CentOS Stream and its derivatives may benefit from OpenScanHub.

cauldron2024 - GCC Wiki