In companies and open-source projects, FOSS 3PP license compliance and "correct" use of cryptography are two examples of concerning types of software defects that can have costly consequences, but that are hard to prevent or catch. Sure, there exist CLI scanning tools that can help find potential problems, but when used at all it tends to be late in the cycle, where changing a incompatibly-licensed 3PP can be expensive but necessary.
What if the scanner was run automatically any time the code changes and the result was provided to the developer immediately, right in the editor where they're coding, like syntax or linting errors?
Lucky for us, there is no need to reinvent the wheel. LSP has something called diagnostics that's supported by Eclipse Theia and others, that can provide exactly this in the client. All we need is a language server to provide the diagnostics. A sinple one can be created that monitors files opened in editors and runs the CLI tool against them when one has changed. Any violations reported in the tool's output are converted to diagnostics and sent to the client, to be displayed right in the code editor.
In this presentation, we will go over teh benefits of using LSP to integrate with tools beyond compilers and present an example of such an integration, done as a proof-of-concept, with an open-source tool called crypto-detector. The key is to create a simple language server that uses the CLI scanning tool on files opened in editors, whenever they change.