Using CommandBox CodeChecker in a CI Environment

January 28, 2022    

CodeChecker is a nice little utility for running various rules against your CFML code. While it's not the most robust solution around, there is a nice suite of built-in rules to handle some of the more serious infractions such as missing cfqueryparam or other vulnerabilities. In addition, the module allows you to write custom regex rules to find issues in your code. This could be useful for checking for coding standard violations, which is what I was trying to do. I wanted to do this in a CI pipeline which, until today, wasn't an option due to lack of exit code support.

The CodeChecker module now supports a --failOnMatch flag that can be used to set a non-zero exit code if CodeChecker finds issues. This should be enough to signal to your CI runner that a failure should be reported.

Here's a sample command that you might run to check your code on demand:

box codechecker run --verbose

Here's the same command but with the requisite flag to get your CI environment to signal that there's trouble lurking:

box codechecker run --verbose --failOnMatch

That should be all there is to it. I've verified this works using GitLab, but I expect most CI environments should be able to handle this.