Skip to main content

Code Validation

In order to assess Security, Quality and Legal compliance of software hosted by the Foundation, project leads and committers can configure integrations with third-party systems that are provided by the Foundation; the result of these processes can be published in the project's documentation to improve the final consumer experience and when requesting activation.

Below is the list of code validation systems currently available, across supported languages and validation features.

Security vulnerabilities responsible disclosure

Read the FINOS security vulnerabilities responsible disclosure document to know how security incidents are managed across FINOS projects. Use WhiteSource to configure your FINOS project for automated scanning.

Matrix of validation features and supported languages

Legal compliance
Check libraries for problematic/undefined licensesWhiteSourceWhiteSourceWhiteSourceWhiteSourceWhiteSource
Generates legal reportsWhiteSourceWhiteSourceWhiteSourceWhiteSourceWhiteSource
Scans code for security vulnerabilitiesFINOS Code Scanning, CoverityScan, SonarCloudFINOS Code ScanningFINOS Code Scanning, CodeClimate, CoverityScan, SonarCloudFINOS Code Scanning, CodeClimate, NodeSecurity,SonarCloudFINOS Code Scanning
Check libraries for security vulnerabilitiesFINOS Code Scanning, WhiteSourceFINOS Code Scanning, WhiteSourceFINOS Code Scanning, WhiteSourceFINOS Code Scanning, WhiteSource, BitHoundFINOS Code Scanning, WhiteSource
Measures test coverageSonarCloudCodeClimate,SonarCloudCodeClimate, SonarCloud
Check libraries for bugsWhiteSourceWhiteSourceWhiteSourceWhiteSource, BitHoundWhiteSource
Check libraries for outdated versionsWhiteSourceWhiteSourceWhiteSourceWhiteSource, BitHoundWhiteSource
Check unused librariesBitHound
Check libraries for release activityWhiteSourceWhiteSourceWhiteSourceWhiteSourceWhiteSource
Scans code for hacks and todosBitHound
Scans code for bad practicesCoverityScanCodeClimate, CoverityScanCodeClimate
Scans code for bugsCoverityScanCoverityScan

Continuous validation

FINOS provides a set of tools, specifically GitHub Apps and Actions, that enforce a continuous scanning across the FINOS GitHub repositories.


To help project leads validate external contributor's identity and capacity to contribute code to the Foundation please visit to know more about FINOS CLAs.

Project compliance scan

FINOS have developed a tool that scans all the GitHub repositories across all FINOS orgs and generates a report based on the following quality and compliance validations:

  • has-admin - One or more admin collaborators were found in this GitHub repository. FINOS Governance doesn't allow GitHub users to have Admin rights on repositories, therefore it must be removed.
  • has-user - One or more user collaborators were found in this GitHub repository. FINOS Governance only allows GitHub users to be added via Teams. Please remove it, therefore it must be removed.
  • disabled-issues - This GitHub repository does not have GitHub Issues enabled; make sure that there is a documented way to submit questions, feature requests and other communications to the project team.
  • no-teams - This GitHub repository does not grant permissions to any FINOS Team, although it should be configured to grant access to project maintainers defined as GitHub Teams. Please email and coordinate changes to the repository access permissions.
  • no-issue-templates - This GitHub repository does not use issue templates; please check the issue template blueprints.
  • no-contributing - file is missing; check the template.
  • no-code-conduct - file is missing; check the template.
  • notice-nok - NOTICE file is incomplete; check line 4 of the NOTICE template.
  • no-notice - NOTICE file is missing; check the NOTICE template.
  • no-readme - file is missing; check the template. no-description - This GitHub repository does not have a general description defined; the Edit button is seen when on the repositories main page, which is the Code tab.
  • is-archivable - This repository belongs to project {{project-name}} which is archived, therefore the GitHub repository is expected to be archived too. @finos-staff will get in touch with the project lead to sort it out.
  • readme-nok - file is incomplete; check the template and make sure that ## Contributing and ## License sections exist.
  • no-badge - file is missing the FINOS badge; check the template and make sure that it embeds one of SVG FINOS badges.
  • wrong-badge - Our internal records state that this project is in {{project-state}} state, whereas states {{readme-state}}; make sure that embeds the right FINOS badge." :repo-not-on-file "We don't have this repository on file. We will fix this issue on our side as soon as possible and keep you posted.
  • no-whitesource - WhiteSource configuration was not found; make sure that dependencies are scanned against security vulnerabilities. Read more on the WhiteSource page.

Code is publicly available on, the command to invoke is check-project-repos.

Ignoring validations

There may be corner cases, for example repositories that contain data don't need whitesource integration. In those cases, it is possible to define a .finos-blueprint.json file in the root folder, with the following structure:

"ignore" : [

Exporting to CSV

Here's a useful command to transform the metadata-tool JSON output in CSV.

cat finos-repo-validation.json| jq -r '.[] | [.org, .["repo-name"], .validations["has-admin"], .validations["has-user"], .validations["no-teams"], .validations["no-issues"], .validations["no-issue-templates"], .validations["no-contributing"], .validations["no-code-conduct"], .validations["notice-nok"], .validations["no-notice"], .validations["no-readme"], .validations["no-description"], .validations["is-archivable"], .validations["readme-nok"], .validations["no-badge"], .validations["wrong-badge"], .validations["repo-not-on-file"], .validations["no-whitesource"]] | @csv'