LGTM - a code analysis platform for identifying vulnerabilities and preventing them from reaching production.

[gastaldi]

LGTM is a code analysis platform for finding zero-days and preventing critical vulnerabilities. We have enabled the application in the Quarkiverse organization to build PRs but only for a few repositories for the time being.

If you're an extension maintainer and wish to enable LGTM in your Quarkiverse repository, send a PR in the quarkiverse-devops repository

NOTE: The branch must be created in the same repository, it won't work in a separate fork (@quarkiverse/quarkiverse-members should be able to create new branches there)

Here is how the PR should look like: quarkiverse/quarkiverse-devops@c9382dd

[gastaldi]

BTW your repository needs a .lgtm.yml file in the root. Here is an example

[gastaldi]

I just learned that the environment running the LGTM analysis does not support Docker (when the docker-maven-plugin is used, for example), so make sure the build that runs there does not attempt to initialize it

[jtama]

Will it just run on MR ?

[gastaldi]

Yes, when a new PR is opened against your repo it should be there as an additional check

[gastaldi]

LGTM will be shutdown in December 2022: https://github.blog/2022-08-15-the-next-step-for-lgtm-com-github-code-scanning/, the recommendation is to use GitHub Code Scanning instead

[shumonsharif]

@gastaldi Just wanted to make sure I understood the link correctly - no immediate action is needed on our part, correct? GitHub will submit PRs in October to each repo for the migration from LGTM to GitHub Code Scanning, and once we merge that PR in, we would just go ahead and disable LGTM?

[gastaldi]

@shumonsharif yes, that's correct.