From eaf26900ef279e7eb55a531ff82b67be1e4ed670 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Grac=CC=A7as?= <fabiano.gracas@faro.com>
Date: Fri, 12 Nov 2021 02:02:50 +0100
Subject: [PATCH] add security scan

---
 .github/workflows/vmware-go-kcl-v2-ci.yml | 78 ++++++++++++++---------
 .gitignore                                |  3 +-
 Makefile                                  |  4 ++
 _support/scripts/ci.sh                    | 21 ++++--
 4 files changed, 71 insertions(+), 35 deletions(-)

diff --git a/.github/workflows/vmware-go-kcl-v2-ci.yml b/.github/workflows/vmware-go-kcl-v2-ci.yml
index bcdd40e..3c5a8d3 100755
--- a/.github/workflows/vmware-go-kcl-v2-ci.yml
+++ b/.github/workflows/vmware-go-kcl-v2-ci.yml
@@ -7,42 +7,62 @@ on:
   pull_request:
     branches: [ master ]
     paths-ignore: [ README.md ]
-    
+
 jobs:
   build:
-    name: Build
+    name: Continous Integration
     runs-on: ubuntu-latest
     steps:
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v2
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v2
 
-    - name: Set up Go 1.17.x
-      uses: actions/setup-go@v2
-      with:
-        go-version: ^1.17
-      id: go
+      - name: Set up Go 1.17.x
+        uses: actions/setup-go@v2
+        with:
+          go-version: ^1.17
+        id: go
 
-    - name: Build
-      shell: bash
-      run: |
-        make build
+      - name: Build
+        shell: bash
+        run: |
+          make build
 
-#    - name: Test
-#      shell: bash
-#      run: |
-#        make test
+  #    - name: Test
+  #      shell: bash
+  #      run: |
+  #        make test
 
-    - name: Format Check
-      shell: bash
-      run: |
-        make format-check
+  scans:
+    name: Checks, Lints and Scans
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v2
 
-    - name: Lint
-      shell: bash
-      run: |
-        make lint-docker
+      - name: Set up Go 1.17.x
+        uses: actions/setup-go@v2
+        with:
+          go-version: ^1.17
+        id: go
 
-    - name: Scan
-      shell: bash
-      run: |
-        make scan
\ No newline at end of file
+      - name: Format Check
+        shell: bash
+        run: |
+          make format-check
+
+      - name: Lint
+        shell: bash
+        run: |
+          make lint-docker
+
+      - name: Run Gosec Security Scanner
+        uses: securego/gosec@master
+        with:
+          # let the report trigger content trigger a failure using the GitHub Security features.
+          args: '-no-fail -fmt sarif -out results.sarif -exclude-dir internal -exclude-dir vendor -severity high ./...'
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          # path to SARIF file relative to the root of the repository
+          sarif_file: results.sarif
\ No newline at end of file
diff --git a/.gitignore b/.gitignore
index e537833..85afb96 100644
--- a/.gitignore
+++ b/.gitignore
@@ -22,4 +22,5 @@
 filenames
 
 .DS_Store
-.scannerwork/
\ No newline at end of file
+.scannerwork/
+*.sarif
\ No newline at end of file
diff --git a/Makefile b/Makefile
index 0823e84..ef02f13 100644
--- a/Makefile
+++ b/Makefile
@@ -40,6 +40,10 @@ integration-test: ## - execute go test command for integration tests (aws creden
 scan: ## - execute static code analysis
 	@ ./_support/scripts/ci.sh scan
 
+.PHONY: local-scan
+local-scan: ## - execute static code analysis locally
+	@ ./_support/scripts/ci.sh localScan
+
 .PHONY: lint
 lint: ## - runs golangci-lint
 	@ ./_support/scripts/ci.sh lint
diff --git a/_support/scripts/ci.sh b/_support/scripts/ci.sh
index beaba8a..245802f 100755
--- a/_support/scripts/ci.sh
+++ b/_support/scripts/ci.sh
@@ -23,7 +23,7 @@ function checkfmt() {
     fi
 }
 
-function go_format() {
+function goFormat() {
     echo "go formatting..."
     gofmt -w ./
     echo "done"
@@ -52,7 +52,7 @@ function lintDocker() {
                                                         --verbose
 }
 
-function test() {
+function unitTest() {
   	go list ./... | grep -v /test | \
    	xargs -L 1 -I% bash -c 'echo -e "\n**************** Package: % ****************" && go test % -v -cover -race ./...'
 }
@@ -101,6 +101,16 @@ function scanast() {
     rm -f security.log
 }
 
+function Scan() {
+    gosec -fmt=sarif -out=results.sarif -exclude-dir=internal -exclude-dir=vendor -severity=high ./...
+}
+
+function localScan() {
+    # you can use the vs code plugin https://marketplace.visualstudio.com/items?itemName=MS-SarifVSCode.sarif-viewer
+    # to navigate against the issues
+    gosec -fmt=sarif -out=results.sarif -exclude-dir=internal -exclude-dir=vendor ./...
+}
+
 function usage() {
     echo "check.sh fmt|lint" >&2
     exit 2
@@ -108,10 +118,11 @@ function usage() {
 
 case "$1" in
     fmtcheck) checkfmt ;;
-    format) go_format ;;
+    format) goFormat ;;
     lint) lint ;;
     lintDocker) lintDocker ;;
-    unittest) test ;;
-    scan) scanast ;;
+    unittest) unitTest ;;
+    scan) scan ;;
+    localScan) localScan ;;
     *) usage ;;
 esac