Must-share information (formatted with Markdown):
@Colin please clarify
You asked this question already.
Check it for answers
@StingyJack I did not get an answer for this . How can I mark a rule as mandatory , so that user wont be able to suppress it through code .
Security is a process, not a product. The most effective security is the one you dont need to bother enforcing.
Discuss the rules that you want to make mandatory with the team who must follow them. Make sure the reasons for each rule are understood and agreed upon before turning them on.
This does not have to be tedious, it can be “these 120 rules are ones that prevent mistakes that turn into bugs and bugs cost money to fix and detract from our credibility, and these 35 rules are to help maintain a consistent style, because a consistent style makes work easier for us”.
Then make sure you are requiring a code/PR review before the changes can be merged into the main branch. Have a training session to show how you expect reviews to be conducted, and pay special attention to highlight the different ways that people will try to circumvent the rules. Make sure that everyone understands that using these without explicit approval means an instantly failing code review.
Let the team members hold each other accountable, but spot check completed reviews and merged code periodically to make sure everyone is doing the needful. If you find cases where its not, both the author and the reviewer are equally accountable.
If after this, you still have coworkers that willingly bypass these rules all the time, then they should be encouraged to go away because they already arent part of the team.