Code Validation


Security vulnerabilities responsible disclosure

Read the FINOS security vulnerabilities responsible disclosure document to know how security incidents are managed across FINOS projects. Use WhiteSource to configure your FINOS project for automated scanning.

In order to assess SecurityQuality and /wiki/spaces/FINOS/pages/75530375 of software hosted by the Foundation, project leads and committers can configure integrations with third-party systems that are provided by the Foundation; the result of these processes can be published in the project's documentation to improve the final consumer experience and when /wiki/spaces/FINOS/pages/75530376.

Below is the list of code validation systems currently available, ordered by features and languages supported.

Below is a matrix of features and languages.

Legal compliance
Check libraries for problematic/undefined licensesWhiteSourceWhiteSourceWhiteSourceWhiteSourceWhiteSource
Generates legal reportsWhiteSourceWhiteSourceWhiteSourceWhiteSourceWhiteSource
Scans code for security vulnerabilitiesCoverityScanSonarCloud 
CodeClimateCoverityScan, SonarCloudCodeClimate, NodeSecuritySonarCloud
Check libraries for security vulnerabilitiesWhiteSourceWhiteSourceWhiteSourceWhiteSource, /wiki/spaces/FDX/pages/75530297WhiteSource
Measures test coverageSonarCloud
Check libraries for bugsWhiteSourceWhiteSourceWhiteSourceWhiteSource/wiki/spaces/FDX/pages/75530297WhiteSource
Check libraries for outdated versionsWhiteSourceWhiteSourceWhiteSourceWhiteSource/wiki/spaces/FDX/pages/75530297WhiteSource
Check unused libraries

Check libraries for release activityWhiteSourceWhiteSourceWhiteSourceWhiteSourceWhiteSource
Scans code for hacks and todos

Scans code for bad practicesCoverityScan
Scans code for bugsCoverityScan

Below is the list of validation tools currently documented by the Foundation.

Project compliance scan

Work in progress

We are working to align these checks with our Project Support Guidelines, read more on

FINOS have developed a tool that scans all the GitHub repositories across all FINOS orgs and generates a report based on the following quality and compliance validations:

  • has-admin - One or more admin collaborators were found in this GitHub repository. FINOS Governance doesn't allow GitHub users to have Admin rights on repositories, therefore it must be removed.
  • has-user - One or more user collaborators were found in this GitHub repository. FINOS Governance only allows GitHub users to be added via Teams. Please remove it, therefore it must be removed.
  • disabled-issues - This GitHub repository does not have GitHub Issues enabled; make sure that there is a documented way to submit questions, feature requests and other communications to the project team.
  • no-teams - This GitHub repository does not grant permissions to any FINOS Team, although it should be configured to grant access to the program and project specific teams defined in Please email and coordinate changes to the repository access permissions.
  • no-issue-templates - This GitHub repository does not use issue templates; please check the issue template blueprints.
  • no-contributing - file is missing; check the template.
  • no-code-conduct - file is missing; check the template.
  • notice-nok - NOTICE file is incomplete; check line 4 of the NOTICE template.
  • no-notice - NOTICE file is missing; check the NOTICE template.
  • no-readme - file is missing; check the template. no-description - This GitHub repository does not have a general description defined; the Edit button is seen when on the repositories main page, which is the Code tab.
  • is-archivable - This repository belongs to project {{project-name}} which is archived, therefore the GitHub repository is expected to be archived too. @finos-staff will get in touch with the project lead to sort it out.
  • readme-nok - file is incomplete; check the template and make sure that ## Contributing and ## License sections exist.
  • no-badge - file is missing the FINOS badge; check the template and make sure that it embeds one of SVG FINOS badges.
  • wrong-badge - Our internal records state that this project is in {{project-state}} state, whereas states {{readme-state}}; make sure that embeds the right FINOS badge." :repo-not-on-file "We don't have this repository on file. We will fix this issue on our side as soon as possible and keep you posted.
  • no-whitesource - WhiteSource configuration was not found; make sure that dependencies are scanned against security vulnerabilities. Read more on the WhiteSource Wiki page.

Code is publicly available on, the command to invoke is check-project-repos.

Reporting via GitHub Issues

In order to deliver these reports directly to the teams, the Open Developer Platform have developed a GitHub Action that uses metadata-tool to generate the project reports and submits a GitHub Issue for each GitHub repository where validation problems were spotted; the issue will include a detailed description of the validation done and point the reader on how to resolve it.

This is an example of auto-generated issue for project compliance.

GitHub Action can be found in the ODP GitHub repo.

Ignoring validations

There may be corner cases, for example repositories that contain data don't need whitesource integration. In those cases, it is possible to define a .finos-blueprint.json file in the root folder, with the following structure:

  "ignore" : [

Exporting to CSV

Here's a useful command to transform the metadata-tool JSON output in CSV.

cat finos-repo-validation.json| jq -r '.[] | [.org, .["repo-name"], .validations["has-admin"], .validations["has-user"], .validations["no-teams"], .validations["no-issues"], .validations["no-issue-templates"], .validations["no-contributing"], .validations["no-code-conduct"], .validations["notice-nok"], .validations["no-notice"], .validations["no-readme"], .validations["no-description"], .validations["is-archivable"], .validations["readme-nok"], .validations["no-badge"], .validations["wrong-badge"], .validations["repo-not-on-file"], .validations["no-whitesource"]] | @csv'

Need help? Email we'll get back to you.

Content on this page is licensed under the CC BY 4.0 license.
Code on this page is licensed under the Apache 2.0 license.