Overview › Static Analysis & Lint
Static Analysis & Lint
Lint baseline likely; Detekt/Ktlint integration needs confirmation.
65
SCORE
Summary
Static-analysis tooling needs verification. Android Lint should be enabled by default; Detekt and Ktlint adoption is uncertain. CI runs NowSecure for security.
Findings
MEDIUM
Detekt / Ktlint adoption unclear
No clear evidence of a Detekt or Ktlint config at the repo root.
Recommendation: Add Detekt with the Compose ruleset (
twitter/compose-rules) and a baseline; add Ktlint via Spotless; gate PRs on ./gradlew detekt ktlintCheck.MEDIUM
Lint baseline hygiene
Big projects accumulate suppressions. Without an audit, Lint becomes background noise.
Recommendation: Re-baseline Lint quarterly; treat
error-severity Lint findings as build-breakers; review baseline diffs in PR.LOW
Dependency vulnerability scanning
Add OSS dependency scanning beyond NowSecure’s app-level checks.
Recommendation: Wire
dependency-check, OWASP, or GitHub Advanced Security; alert on new CVEs in transitive deps.INFO
NowSecure scans active
azure-pipelines-nowsecure.yml runs in CI — keep this signal active and triaged.Costco Android · Code Review Report · Generated 2026-05-07 · 626 machine-curated findings