Using CommandBox CodeChecker in a CI Environment
CodeChecker is a nice little
utility for running various rules against your CFML code. While it's not the most
robust solution around, there is a nice suite of built-in rules to handle some of
the more serious infractions such as missing
cfqueryparam or other vulnerabilities.
In addition, the module allows you to write custom regex rules to find issues
in your code. This could be useful for checking for coding standard violations,
which is what I was trying to do. I wanted to do this in a CI pipeline which, until
today, wasn't an option due to lack of exit code support.
The CodeChecker module now supports a
--failOnMatch flag that can be used to set
a non-zero exit code if CodeChecker finds issues. This should be enough to signal
to your CI runner that a failure should be reported.
Here's a sample command that you might run to check your code on demand:
box codechecker run --verbose
Here's the same command but with the requisite flag to get your CI environment to signal that there's trouble lurking:
box codechecker run --verbose --failOnMatch
That should be all there is to it. I've verified this works using GitLab, but I expect most CI environments should be able to handle this.