aboutsummaryrefslogtreecommitdiffstats

Qt securityHeader Bot

As per QUIP-23, This bot executes Security Header checks on all files as they are uploaded in a patchset.

It examines the first 50 lines (limited to the first 8KB) of changed files in a patchset for the security keyphrase:

// Qt-Security score:critical

In the event that a file is modified or deleted, both the current patch and previous version will be checked for the security keyphrase to ensure that it is not being inappropriately removed or downgraded.

If a security-critical file is added, modified or deleted, the bot will: - Post a hashtag "Qt-Security change" to the gerrit change request.

Changes with this hashtag will display a large red banner to notify reviewers that the change deserves extra scrutiny.

Exclusions

  • All non-utf-8 encoded files (images, archives, other binary file formats)

Installation

To install this script as a service 1. Copy the service file to the systemd directory of your choice such as /etc/systemd/system/. 2. Reload the daemon with systemctl daemon-reload. 3. Run systemctl edit qtSecurity_bot to generate an override config. Set environment variables here. 4. Start the service (Default port=8088, override with QTSECURITYBOT_PORT).

Prerequsites

  1. This bot is designed to receive webhooks from Gerrit Code Review. See Gerrit Webhooks
  2. The included systemd service file assumes you have pipenv installed for the qt user.
  3. You must manually install required packaged into the pipenv, as the service does not do this automatically.
generated by cgit v1.2.3 (git 2.25.1) at 2025-06-01 23:16:47 +0000