Skip to content

Commit

Permalink
Merge pull request nephio-project#154 from Nordix/add_gosec_gh_action
Browse files Browse the repository at this point in the history
Add gosec gh action
kispaljr authored Dec 18, 2024

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
2 parents 22fcdad + 53f004a commit 9b4e226
Showing 3 changed files with 67 additions and 5 deletions.
57 changes: 57 additions & 0 deletions .github/workflows/gosec-scan.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
# Copyright 2024 The Nephio Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

name: Gosec security scan

on:
push:
paths-ignore:
- "docs/**"
- "release/**"
- ".prow.yaml"
- "OWNERS"
pull_request:
paths-ignore:
- "docs/**"
- "release/**"
- ".prow.yaml"
- "OWNERS"

jobs:
tests:
name: Porch gosec scan
runs-on: ubuntu-latest
permissions:
# required for all workflows
security-events: write
env:
GO111MODULE: on
steps:
- name: Checkout Porch
uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: '>=1.22.2'
- name: Run Gosec Security Scanner
uses: securego/[email protected]
with:
# we let the report trigger content trigger a failure using the GitHub Security features.
args: '-no-fail -exclude-dir=generated -exclude-dir=test -exclude-generated=true -fmt=sarif -out=results.sarif ./...'
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v3
with:
# Path to SARIF file relative to the root of the repository
sarif_file: results.sarif
token: ${{ secrets.GITHUB_TOKEN }}
6 changes: 5 additions & 1 deletion .gitignore
Original file line number Diff line number Diff line change
@@ -30,5 +30,9 @@ __debug*
# Ignore all local history of files
**/.history

# gosec artifacts
*results.html

### Jetbrains IDEs ###
.idea/*
.idea/*

9 changes: 5 additions & 4 deletions default-gosec.mk
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Copyright 2023 The Nephio Authors.
# Copyright 2023-2024 The Nephio Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -12,15 +12,16 @@
# See the License for the specific language governing permissions and
# limitations under the License.

GOSEC_VER ?= 2.19.0
GOSEC_VER ?= 2.21.4
GIT_ROOT_DIR ?= $(dir $(lastword $(MAKEFILE_LIST)))
include $(GIT_ROOT_DIR)/detect-container-runtime.mk

# Install link at https://github.com/securego/gosec#install if not running inside a container
.PHONY: gosec
gosec: ## Inspect the source code for security problems by scanning the Go Abstract Syntax Tree
ifeq ($(CONTAINER_RUNNABLE), 0)
$(RUN_CONTAINER_COMMAND) docker.io/securego/gosec:${GOSEC_VER} ./...
$(RUN_CONTAINER_COMMAND) docker.io/securego/gosec:${GOSEC_VER} -fmt=html -out=gosec-results.html \
-stdout -verbose=text -exclude-dir=generated -exclude-dir=test -exclude-generated ./...
else
gosec ./...
gosec -fmt=html -out=gosec-results.html -stdout -verbose=text -exclude-dir=generated -exclude-dir=test -exclude-generated ./...
endif

0 comments on commit 9b4e226

Please sign in to comment.