SCAIFE: Secure Code Analysis for Continuous Integration
Producing secure software free from serious flaws is a top priority for organizations in defense, government, and industry, and the CMU SEI has a long history of engineering solutions that address this challenge. One way analysts and developers identify flaws in software is through the use of static analysis tools. These tools output alerts that identify potential flaws in code. However, manually adjudicating static analysis results as true positive or false positive can be time consuming and requires expert knowledge. This work also requires a consistent adjudication process. To help relieve developers and analysts of this burden, the CMU SEI created the Source Code Analysis Integrated Framework Environment (SCAIFE), a research prototype for a modular architecture that supports static analysis classification and prioritization. SCAIFE is designed to enable a wide variety of tools, systems, and users to use artificial intelligence (AI) classifiers for static-analysis results (meta-alerts) at relatively low cost and effort.
In 2021, the CMU SEI extended SCAIFE to work with continuous integration (CI) systems. CI is a method of software development in which the working copies from all developers on a software project are automatically merged and shared frequently. CI usually includes an automated suite of tests, which sometimes includes static analysis testing. The CI process helps prevent the code of any one developer from straying too far afield and averts the potential for a catastrophic merge conflict and merges that introduce bug regressions and/or test failures. Consequently, CI focuses developers to produce stable code that works in an automated build of the software.
SCAIFE for CI works with a range of variations of CI, and it can be geared to the level of testing automation in use in a given development environment. It can also automatically update its static analysis projects and transfer adjudications appropriately on code updated at various frequencies, code produced through several developer threads and automatically merged on a shared server, and/or code updated daily by developers when they commit their code to a code repository server. SCAIFE for CI can also support static analysis testing in development environments that don’t yet use a CI server but have generated different versions of the codebase and static analysis to output for these versions. It does so with a graphical user interface process that automates appropriate transfer of adjudications from one code version project to the other. The CMU SEI has made the SCAIFE API definition (using OpenAPI v3, in YAML) available via GitHub.