[CHORE]: Integrate DevSkim static analysis tool via Makefile #590
Description
Set up DevSkim (by Microsoft) to automatically scan the mcpgateway codebase for security anti-patterns and risky code constructs. Add two Makefile targets:
devskim-install-dotnet: one-time .NET + DevSkim CLI setupdevskim: performs static analysis, or shows help if DevSkim isn’t installed
This keeps the workflow developer-friendly, idempotent, and easy to plug into CI/CD in the future.
🧱 Areas Affected
- Makefile —
devskim-install-dotnet+devskimtargets - GitHub Actions — optional future CI integration
- Security — baseline static scan for insecure patterns
- Developer Tooling — self-service security checks
- Documentation — usage reference in docs
⚙️ Context / Rationale
Why DevSkim?
DevSkim provides first-pass static analysis for insecure code constructs like hardcoded secrets, improper encryption use, and command injection. Unlike deep security tools, it runs quickly and locally, and works well alongside tools like bandit and safety.
By separating installation and scanning into two Makefile targets, we provide:
- Opt-in install (
devskim-install-dotnet) with system prerequisites - Safe default behavior (
devskim) that won’t fail if DevSkim isn't installed - CI-ready scaffolding for future security gates
📦 New Make Targets
| Target | Purpose |
|---|---|
make devskim-install-dotnet |
Installs .NET 9 SDK and DevSkim CLI |
make devskim |
Runs scan if available; prints help if DevSkim missing |
.PHONY: devskim devskim-install-dotnet
devskim-install-dotnet:
@echo "📦 Installing .NET SDK and DevSkim CLI..."
sudo add-apt-repository -y ppa:dotnet/backports
sudo apt-get update
sudo apt-get install -y dotnet-sdk-9.0
export PATH="$$PATH:$$HOME/.dotnet/tools" && \
dotnet tool install --global Microsoft.CST.DevSkim.CLI || true
devskim:
@echo "🔐 Running DevSkim static analysis (if installed)..."
@if command -v devskim >/dev/null 2>&1; then \
devskim analyze --source-code mcpgateway && \
devskim analyze --source-code mcpgateway -f text; \
else \
echo "⚠️ DevSkim not found. Run 'make devskim-install-dotnet' first."; \
fiGitHub Actions
name: DevSkim
on:
push:
branches: [ "main" ]
pull_request:
branches: [ "main" ]
schedule:
- cron: '31 6 * * 6'
jobs:
lint:
name: DevSkim
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run DevSkim scanner
uses: microsoft/DevSkim-Action@v1
- name: Upload DevSkim scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: devskim-results.sarif📋 Acceptance Criteria
-
.NET 9 SDKand DevSkim installable viamake devskim-install-dotnet -
make devskimruns scan only if DevSkim is installed - Graceful fallback with help instructions if CLI not present
- Documentation mentions how to run and install DevSkim
- CI integration deferred to future task
🛠️ Task List
- Add
devskim-install-dotnetanddevskimtargets to Makefile - Validate local install and scanning output
- Update docs with DevSkim usage note
- (Optional) Plan separate CI job for static security scanning
📖 References
- DevSkim GitHub — https://github.com/microsoft/DevSkim
- .NET SDK for Ubuntu — https://learn.microsoft.com/en-us/dotnet/core/install/linux-ubuntu
🧩 Additional Notes
- Default install path is
~/.dotnet/tools/devskim - Consider future
.devskimrcfor rule tuning - Works well alongside Python tools like
bandit,safety,semgrep - Fast, portable, and minimal configuration footprint