CodeSanity 1.6.0

Welcome to CodeSanity - created and maintained by Sascha Wildgrube.


Contains a number of instance scan checks to validate source code.


CodeSanity is NOT an officially supported ServiceNow product.

CodeSanity does NOT come with any kind of warranty. If you use it, you own it!

System Requirements


  1. Create an account on GitHub - if not done already)
  2. Create a personal access token for your GitHub account.
  3. Paris or later: Add credentials to access GitHub - use "Basic Auth".
  4. Fork the repository
  5. Go to Studio and import the DevTools application from source control.
  6. Fork the repository
  7. Go to Studio and import the CodeSanity application from source control.

Testing the CodeSanity scan suite

Running the scan suite against the CodeSanity app itself will cause 10 findings in 2 script includes to verify the scan checks work properly. This is not ideal - to find a better way using ATF tests is on the backlog.

Extending the CodeSanity scan suite

  1. Change the scope to the app which should contain your new check - this should NOT be the CodeSanity app.
  2. Select "Add new check" in the menu.
  3. Create and save the new check - it will automatically be added to the CodeSanity scan suite.

Instance Scan checks contained in the CodeSanity app

Helpful links on Instance Scan


Copyright 2022 by Sascha Wildgrube

Licensed under the Apache License, Version 2.0 (the "License")

You may not use CodeSanity except in compliance with the License.

You may obtain a copy of the License at:

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Release Notes

1.6.0 - 2022-07-27 - Birthday Edition

  1. Added check "CodeSanity - Script include has a valid name".
  2. Added check "CodeSanity - InstallerAPI without context".
  3. Added check "CodeSanity - Avoid arrow functions". Although arrow functions are not yet supported in ServiceNow.
  4. Added check "CodeSanity - Widget checks for input".
  5. The check "Checks for the bracket-dot anti-pattern" now allows the pattern "gs.getUser()." because we can assume that gs.getUser() always returns GlideUser object.
  6. The check "Checks for the bracket-dot anti-pattern" now allows patterns like "$('needle')." to support jquery in sp_widget client code.
  7. Renamed check "CodeSanity - [0] anti-pattern" to "CodeSanity - Constant array index anti-pattern".
  8. Added the function HtmlrenderCodingGuideline() to produce ui pages that can serve as a coding guideline document.
  9. This manual page no longer shows instance scan checks that are contained in other apps.

1.5.0 - 2022-07-08

  1. DevTools 1.40.0 is now required.
  2. Check "CodeSanity - Bracket-dot anti-pattern" is now making an exception for sp_widget records to allow the pattern: "server.update().then(".
  3. Check "CodeSanity - Sys IDs in scripts" has been updated to check only against letters from 'a' to 'f'.
  4. Check "CodeSanity - String concatenation anti-pattern" now allows concatenated strings if the second string starts with a backslash and hence indicates an escaped character.

1.4.0 - 2022-06-12

  1. DevTools 1.39.0 is now required.
  2. Added check "CodeSanity - logging.verbosity system property".
  3. The check "CodeSanity - Script include must contain a class or function" was improved to avoid false negatives.
  4. The check "CodeSanity - Throwing exceptions" was improved to avoid false positives.
  5. Added the "logging.verbosity" system property.
  6. Added first ATF tests to verify the checks and removed the "AntiPattern" script includes.

1.3.0 - 2022-06-10

  1. Added the check "CodeSanity - UI Actions without comments".
  2. The check "CodeSanity - Application names in code" now considers the AppInstall() function as an exception.
  3. The check "CodeSanity - Script include must contain a class or function" is now considering comments at the top of the script.

1.2.0 - 2022-05-31

  1. DevTools 1.38.0 is now required.
  2. Added check "CodeSanity - Script include must contain a class or function".
  3. Added check "CodeSanity - Table check code pattern".
  4. The check against application names in code now considers application name postfixes (like "WORK IN PROGRESS" etc.).
  5. The check against application names in code now considers specific code patterns as exceptions where it is unlikely that the string is actually the application name - i.e. where the string is more likely a class name or the name of an extension point.
  6. The check against application names in code now considers the function x_snc_codesanity.GetScanSuiteRecord() and any script include containing "GetLinkDirectory" in the name as an exception.
  7. The check against the [0] anti pattern is now considering any constant number pre or postfixed by whitespace characters.
  8. More exceptions have been added for the check against Sys IDs in scripts.

1.1.0 - 2022-04-19

  1. DevTools 1.37.0 is now required.
  2. Priority of all checks is now set to "Critical".
  3. Refactored CodeSanity's own code not to trigger any findings other than in the honey pot script include "AntiPatterns".
  4. Added a check against the use of application names in source code.
  5. Added a check if the field "short_description" is used in a condition statement.
  6. Added a check against using the Date class constructor without parameters.
  7. Added a check against the bracket-dot anti-pattern.
  8. Added a check against the string concatenation anti-pattern.
  9. Several exceptions have been added for the check against Sys IDs in scripts as some specific functions will need to contain Sys IDs no matter what.
  10. Corrected a defect in the check against Sys IDs in source code.

1.0.0 - 2022-03-15

First baselined version