Home > On-Demand Archives > Q&A Sessions >
Live Q&A - Optimizing the Developer DevSecOps Experience for Embedded Systems
Mark Hermeling - CodeSecure - Watch Now - EOC 2025 - Duration: 31:41
Thanks Mark, great presentation and discussion. I can relate to much of it. I was mandated to use Parasoft and Checkmarx, which I found awkward to use, especially when ran infrequently and you forget how. As they were ran occasionally towards the end of the project, they produced mountains of haystacks. So I get the idea of being able to filter out what’s new or relevant on a branch, and just staying on top of it daily. I find there’s often a lot of marketing hype and training needed for SAST tools, all I want to do is download it and try it locally for 10 mins. It seems to point to qualified code generation from a model (or using it for the code generator), to minimise coding errors in the first place.
Excellent presentation!
Thanks @dcblack, I will certainly keep this in mind/
Here are the links as well:
https://gitlab.com/codesonar/examples
Open source projects with GitLab pipelines
https://codesecure.com/trial-request/
Request access to the CodeSonar results
Provide your GitLab id and you will be able to work on MRs
https://www.youtube.com/@CodeSecure_
Detailed videos
You should refer to the PDF provided and the links in the PDF should be clickable (not just copy/paste). Perhaps a simple QRcode to a page with all the links in one place.
11:01:30 From Jacob Beningo : Hello Everyone 11:05:59 From ts : Mark, you favour GitLab over GitHub because of the extensive support for CI/CD instead of GitHub actions. Can you a bit elaborate on that? 11:09:04 From Viktor : Hello, 4 questions related together from my side : Could you please provide us with examples of Static analysis tools which are executed locally on the developer's PC to give insights before publishing a Merge Request ? Could you please provide us with examples of Static analysis tools you use on CI/CD pipeline side (apart from Sonar Qube ) What are your criteria to choose whether the Static Analysis tool is running on-prem, locally or in cloud ? Do you use DevContainers VSCode extension in your workflow? 11:10:11 From Siddhant : In addition to above question: Are there any open source SAST tools available ? 11:16:10 From Mark : Is CodeSonar comparable to SonarQube in the context of embedded development? If so, what are the relative benefits of CodeSonar? 11:18:11 From David Evennou : Great Presentation! I am a one man shop and have not had a need to do a CI/CD process, but I am interested in learning about it. How would you suggest I get started? 11:21:40 From Mark Hermeling : https://gitlab.com/guided-explorations/embedded/workshops/embedded-devops-workshop-refactoring-to-ci 11:22:04 From Mark : Reacted to "https://gitlab.com/g..." with 👍 11:22:37 From Sam R : Reacted to "https://gitlab.com/g..." with 👍 11:22:42 From Viktor : If I understand well, Code Sonar does some analysis which is normally made by Dynamic analysis tools like ASan or Valgrind , but Code Sonar does that without compilation and execution ? 11:22:45 From Mark : What are the most compelling benefits (to the developer) of using SAST, to encourage adoption. e.g. aspects that might make day-to-day development enjoyable, less stressful… 11:25:07 From MW : Any analyse (Tool) you recommend to add to your development process when using AI such as MS/Github/… Copilot for coding ? 11:25:12 From Siddhant : this question might be out of scope, please ignore it if it does. Are there any tools already out that use AI for DevSecOps in Embedded Systems? 11:27:50 From BanksG02 : Can CodeSonar report the deepest potential stack depth for each function? I presume potential stack overflows are reported, but I'm asking for a utility that will help me set stack sizes and get them right, rather than find when they're wrong. 11:32:43 From Stephane : Thank you Mark!
Excellent session, critically important today more than ever.