Want integration with Semmle/LGTM.com

[jimklimov]

Recently Semmle (http://LGTM.com) became part of GitHub, allowing developers to review their codebases and PRs for security vulnerabilities. It seems there is support for .lgtm.yml files to be put into codebase and aid in custom worker setup and further testing procedures, which makes sense for our use-case with custom-built prerequisites.

I am not sure at the moment if their engine also recognizes Travis CI setups, a few projects where I tried to enable this "just worked" and a few others did not, failing to use (forked) dependencies they pre-build and do not install via packaging.

I assume that a quick solution for starters could be to generate a simple config that would call existing ci_build.sh for the hard work, somewhat like https://code.videolan.org/videolan/vlc-android/blob/6f2e56b507dcb4219767d10146e6de858418d09b/.lgtm.yml . Then iterate from here, possibly bringing in required dependency package lists from travis.yml generator, etc. like in https://github.com/systemd/systemd/blob/master/.lgtm.yml or https://github.com/curl/curl/blob/master/.lgtm.yml (linked just random first hits from googling and seeing major projects doing this)

More to read up on:

• https://help.semmle.com/lgtm-enterprise/user/help/lgtm.yml-configuration-file.html
• https://lgtm.com/help/lgtm/lgtm.yml-file-template
• https://lgtm.com/help/lgtm/configuring-lgtm-analysis-project