Skip to content

Add comprehensive code quality and static analysis #9

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
cjflory merged 6 commits into from
Aug 24, 2025
Merged

Add comprehensive code quality and static analysis #9

cjflory merged 6 commits into from
Aug 24, 2025

Conversation

@cjflory
Copy link
Owner

@cjflory cjflory commented Aug 24, 2025

Summary

Adds professional-grade code quality assurance with automated static analysis for shell scripts and PNG files. This establishes a robust CI/CD pipeline for maintaining high code standards.

🔍 New Analysis Tools

GitHub Actions Workflow

  • ShellCheck: Industry-standard bash linting and error detection
  • Security Analysis: Scans for dangerous commands and hardcoded secrets
  • PNG Validation: Checks file integrity, size, and optimization potential
  • Code Standards: Validates encoding, permissions, shebang, line endings
  • Dependency Check: Tests external URL accessibility and tool requirements
  • Comprehensive Summary: Aggregates results with clear pass/fail status

Local Development Support

  • ShellCheck config (.shellcheckrc): Customized rules for our use case
  • Local test script (test/run-local-checks.sh): Run checks before committing
  • Documentation (.github/CODE_QUALITY.md): Complete setup and usage guide

🚀 Workflow Features

  • Automated triggers: Runs on push to main/develop and PRs to main
  • Parallel execution: Fast feedback with concurrent job execution
  • Detailed reporting: Clear pass/fail status with actionable suggestions
  • Security focus: Proactive vulnerability and secret detection
  • Optimization guidance: PNG file size and compression recommendations

📊 Analysis Coverage

Tool Purpose Files Analyzed
ShellCheck Bash best practices & error detection dev-browser script
Security Scanner Dangerous patterns & secrets All shell scripts
PNG Validator File integrity & optimization icons/*.png
Standards Check Code style & consistency All project files
Dependency Check External URL validation URLs in scripts

🛠️ Local Development

Install tools (macOS):

brew install shellcheck pngcheck imagemagick optipng

Run checks locally:

./test/run-local-checks.sh

Individual tool usage:

shellcheck dev-browser              # Lint shell script
pngcheck icons/*.png               # Validate PNG files
optipng icons/icon-1.png          # Optimize PNG size

📝 Configuration Files Added

  • .github/workflows/code-quality.yml - Main workflow definition
  • .shellcheckrc - ShellCheck configuration with project-specific rules
  • test/run-local-checks.sh - Local testing script for development
  • .github/CODE_QUALITY.md - Complete documentation and troubleshooting guide

🔧 Example Output

Successful run:

✅ Shell script analysis passed
✅ Security scan passed  
✅ PNG validation passed
✅ Code standards check passed
✅ Dependency check passed

With suggestions:

📏 icons/icon-1.png: Dimensions: 256x256, Size: 45KB
🗜️  Could save 23% with optimization
⚠️  icons/icon-5.png: Large file size (>50KB) - consider optimization

📚 Benefits

  1. Proactive Quality: Catch issues before they reach production
  2. Security Assurance: Automated vulnerability scanning
  3. Performance Optimization: PNG size monitoring and suggestions
  4. Developer Experience: Fast local feedback with comprehensive CI
  5. Maintainability: Consistent code standards across the project
  6. Documentation: Clear guides for setup and troubleshooting

🧪 Testing

  • Workflow syntax validated
  • ShellCheck runs successfully on dev-browser script
  • PNG validation works with all icon files
  • Security checks detect test patterns correctly
  • Local test script executes without errors
  • Documentation covers all use cases

🔒 Security Features

  • Detects dangerous bash patterns (eval, system, exec)
  • Scans for hardcoded secrets and passwords
  • Validates external URL accessibility
  • Checks file permissions and encoding
  • No sensitive data exposed in workflows

This establishes a solid foundation for maintaining code quality as the project grows, with both automated CI checks and local development tools.

🤖 Generated with Claude Code

cjflory and others added 6 commits August 24, 2025 00:52
@cjflory @claude
Add comprehensive code quality and static analysis workflow
c03b96c 
## 🔍 New Analysis Tools

### GitHub Actions Workflow (.github/workflows/code-quality.yml)
- **ShellCheck**: Industry-standard bash linting and error detection
- **Security Analysis**: Scans for dangerous commands and hardcoded secrets
- **PNG Validation**: Checks file integrity, size, and optimization potential
- **Code Standards**: Validates encoding, permissions, shebang, line endings
- **Dependency Check**: Tests external URL accessibility and tool requirements
- **Comprehensive Summary**: Aggregates results with clear pass/fail status

### Local Development Support
- **ShellCheck config** (.shellcheckrc): Customized rules for our use case
- **Local test script** (test/run-local-checks.sh): Run checks before committing
- **Documentation** (.github/CODE_QUALITY.md): Setup and usage guide

## 🚀 Workflow Features
- Runs on push to main/develop and PRs to main
- Parallel execution for speed
- Detailed logging and suggestions
- Configurable severity levels
- Security-focused scanning

## 📊 Analysis Coverage
- Shell script quality and best practices
- Security vulnerability detection
- Image file validation and optimization
- Code style and standards compliance
- External dependency validation

## 🛠️ Local Usage
```bash
# Install tools (macOS)
brew install shellcheck pngcheck imagemagick optipng

# Run local checks
./test/run-local-checks.sh
```

This provides professional-grade code quality assurance for the project
while maintaining fast feedback loops for developers.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
@cjflory
Fix ShellCheck and security analysis issues
b70597b 
## ShellCheck Fixes
- Added -r flag to all read commands for better input handling
- Fixed 0 usage by checking command exit code directly
- Updated .shellcheckrc to disable overly strict style rules (SC2250, SC2155, etc.)
- All major ShellCheck warnings now resolved

## Security Analysis Fixes
- Updated security scan to allow legitimate exec usage
- Focused on dangerous eval/system() calls instead
- Added backtick injection pattern detection
- Updated local test script to match workflow patterns

## Changes Made
- dev-browser: Fixed read commands and exit code checking
- .shellcheckrc: Disabled noisy style warnings while keeping important checks
- code-quality.yml: Refined security patterns to reduce false positives
- run-local-checks.sh: Updated to match workflow security checks

The code now passes all static analysis while maintaining the same functionality.
@cjflory
Fix security analysis workflow by removing unavailable action
c8b3dd2 
- Removed securecodewarrior/github-action-add-sarif@v1 (repository not found)
- Removed unnecessary bandit/safety installation for shell script project
- Kept custom security analysis that's more relevant for bash scripts
- Security scan now focuses on shell-specific vulnerabilities

The security analysis still checks for:
- Dangerous eval/system() calls
- Command injection patterns with backticks
- Hardcoded secrets and passwords

This provides better security coverage for our specific use case.
@cjflory
Fix security analysis false positives
8cfa5dc 
- Changed security checks to only scan the main 'dev-browser' script
- Excluded test files to avoid false positives from our own security checks
- Refined patterns to focus on actual vulnerabilities in production code
- Security analysis now correctly ignores test/documentation references

This prevents the workflow from flagging our own security check code
while still protecting against real vulnerabilities in the main script.
@cjflory
Fix secret detection false positives from plist keys
7f346b8 
- Refined secret detection pattern to look for actual assignments (password=, secret=, etc.)
- Excluded standard macOS plist keys like CFBundleIdentifier, NSHighResolutionCapable
- Updated both CI workflow and local test script to use same refined patterns
- Security check now focuses on real hardcoded credentials vs. configuration keys

This prevents false positives from standard macOS app bundle metadata
while still detecting actual security issues like hardcoded passwords.
@cjflory
Streamline ShellCheck configuration to focus on important issues
f913b27 
- Removed excessive rule disables that were too permissive
- Kept only 4 genuinely needed rule exclusions:
  - SC1091: Not following sourced files (we don't source external files)
  - SC2034: Unused variables (some used in generated scripts)
  - SC2155: Declare and assign separately (acceptable for simple cases)
  - SC2086: Double quote variables (intentional in some contexts like sips)
- Improved code quality by enabling more meaningful checks
- Still passes all analysis while providing better linting coverage

This strikes the right balance between strict quality checks and
practical shell scripting patterns used in the project.
@cjflory cjflory merged commit a9f0b55 into main Aug 24, 2025
6 checks passed
@cjflory cjflory deleted the feature/add-code-quality-checks branch August 24, 2025 05:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cjflory