Code scanning on Github?

[wendellpiez]

User Story:

One might think that as a declarative DSL, XSLT is a good subject for code scanning.

This can be set up under Github for this site and potentially other sites.

It would be great if we had code scanning we could do apart from Github too, however, which is probably the place to start.

Rudimentary code scanning can be found here: https://github.com/usnistgov/xslt3-functions/tree/main/directory-manifest - an application that scans and reads XProc, XSLT and XML, albeit without performing much analysis.

Things to think about:

• serious static code analysis of XSLT
• extending to include XSpec and other resource types
• what do SBOMs look like?

Goals:

Learn more about the feasibility and usefulness of code scanning on this repo (XSLT and other).

Demo some code scanning.

An ideal prototype would be minimally but demonstrably useful and maximally transparent, maintainable and extensible.

Dependencies:

None known. This is a research spike.

Acceptance Criteria

Note that a PR does not have to be accepted, just submitted. A discussion board or spin-off Issues could also accommodate this if necessary.

• All website and readme documentation affected by the changes in this issue have been updated. Changes to the website can be made in the docs/content directory of your branch.
• A Pull Request (PR) is submitted that fully addresses the goals of this User Story. This issue is referenced in the PR.
• The CI-CD build process runs without any reported errors on the PR. This can be confirmed by reviewing that all checks have passed in the PR.