add security scan
This commit is contained in:
Fabiano Graças
Tao Jiang
parent
0906af7baf
commit
eaf26900ef
4 changed files with 71 additions and 35 deletions
78
.github/workflows/vmware-go-kcl-v2-ci.yml
vendored
78
.github/workflows/vmware-go-kcl-v2-ci.yml
vendored
|
|
@ -7,42 +7,62 @@ on:
|
||||||
pull_request:
|
pull_request:
|
||||||
branches: [ master ]
|
branches: [ master ]
|
||||||
paths-ignore: [ README.md ]
|
paths-ignore: [ README.md ]
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
build:
|
build:
|
||||||
name: Build
|
name: Continous Integration
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- name: Check out code into the Go module directory
|
- name: Check out code into the Go module directory
|
||||||
uses: actions/checkout@v2
|
uses: actions/checkout@v2
|
||||||
|
|
||||||
- name: Set up Go 1.17.x
|
- name: Set up Go 1.17.x
|
||||||
uses: actions/setup-go@v2
|
uses: actions/setup-go@v2
|
||||||
with:
|
with:
|
||||||
go-version: ^1.17
|
go-version: ^1.17
|
||||||
id: go
|
id: go
|
||||||
|
|
||||||
- name: Build
|
- name: Build
|
||||||
shell: bash
|
shell: bash
|
||||||
run: |
|
run: |
|
||||||
make build
|
make build
|
||||||
|
|
||||||
# - name: Test
|
# - name: Test
|
||||||
# shell: bash
|
# shell: bash
|
||||||
# run: |
|
# run: |
|
||||||
# make test
|
# make test
|
||||||
|
|
||||||
- name: Format Check
|
scans:
|
||||||
shell: bash
|
name: Checks, Lints and Scans
|
||||||
run: |
|
runs-on: ubuntu-latest
|
||||||
make format-check
|
steps:
|
||||||
|
- name: Check out code into the Go module directory
|
||||||
|
uses: actions/checkout@v2
|
||||||
|
|
||||||
- name: Lint
|
- name: Set up Go 1.17.x
|
||||||
shell: bash
|
uses: actions/setup-go@v2
|
||||||
run: |
|
with:
|
||||||
make lint-docker
|
go-version: ^1.17
|
||||||
|
id: go
|
||||||
|
|
||||||
- name: Scan
|
- name: Format Check
|
||||||
shell: bash
|
shell: bash
|
||||||
run: |
|
run: |
|
||||||
make scan
|
make format-check
|
||||||
|
|
||||||
|
- name: Lint
|
||||||
|
shell: bash
|
||||||
|
run: |
|
||||||
|
make lint-docker
|
||||||
|
|
||||||
|
- name: Run Gosec Security Scanner
|
||||||
|
uses: securego/gosec@master
|
||||||
|
with:
|
||||||
|
# let the report trigger content trigger a failure using the GitHub Security features.
|
||||||
|
args: '-no-fail -fmt sarif -out results.sarif -exclude-dir internal -exclude-dir vendor -severity high ./...'
|
||||||
|
|
||||||
|
- name: Upload SARIF file
|
||||||
|
uses: github/codeql-action/upload-sarif@v1
|
||||||
|
with:
|
||||||
|
# path to SARIF file relative to the root of the repository
|
||||||
|
sarif_file: results.sarif
|
||||||
3
.gitignore
vendored
3
.gitignore
vendored
|
|
@ -22,4 +22,5 @@
|
||||||
filenames
|
filenames
|
||||||
|
|
||||||
.DS_Store
|
.DS_Store
|
||||||
.scannerwork/
|
.scannerwork/
|
||||||
|
*.sarif
|
||||||
4
Makefile
4
Makefile
|
|
@ -40,6 +40,10 @@ integration-test: ## - execute go test command for integration tests (aws creden
|
||||||
scan: ## - execute static code analysis
|
scan: ## - execute static code analysis
|
||||||
@ ./_support/scripts/ci.sh scan
|
@ ./_support/scripts/ci.sh scan
|
||||||
|
|
||||||
|
.PHONY: local-scan
|
||||||
|
local-scan: ## - execute static code analysis locally
|
||||||
|
@ ./_support/scripts/ci.sh localScan
|
||||||
|
|
||||||
.PHONY: lint
|
.PHONY: lint
|
||||||
lint: ## - runs golangci-lint
|
lint: ## - runs golangci-lint
|
||||||
@ ./_support/scripts/ci.sh lint
|
@ ./_support/scripts/ci.sh lint
|
||||||
|
|
|
||||||
|
|
@ -23,7 +23,7 @@ function checkfmt() {
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
function go_format() {
|
function goFormat() {
|
||||||
echo "go formatting..."
|
echo "go formatting..."
|
||||||
gofmt -w ./
|
gofmt -w ./
|
||||||
echo "done"
|
echo "done"
|
||||||
|
|
@ -52,7 +52,7 @@ function lintDocker() {
|
||||||
--verbose
|
--verbose
|
||||||
}
|
}
|
||||||
|
|
||||||
function test() {
|
function unitTest() {
|
||||||
go list ./... | grep -v /test | \
|
go list ./... | grep -v /test | \
|
||||||
xargs -L 1 -I% bash -c 'echo -e "\n**************** Package: % ****************" && go test % -v -cover -race ./...'
|
xargs -L 1 -I% bash -c 'echo -e "\n**************** Package: % ****************" && go test % -v -cover -race ./...'
|
||||||
}
|
}
|
||||||
|
|
@ -101,6 +101,16 @@ function scanast() {
|
||||||
rm -f security.log
|
rm -f security.log
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function Scan() {
|
||||||
|
gosec -fmt=sarif -out=results.sarif -exclude-dir=internal -exclude-dir=vendor -severity=high ./...
|
||||||
|
}
|
||||||
|
|
||||||
|
function localScan() {
|
||||||
|
# you can use the vs code plugin https://marketplace.visualstudio.com/items?itemName=MS-SarifVSCode.sarif-viewer
|
||||||
|
# to navigate against the issues
|
||||||
|
gosec -fmt=sarif -out=results.sarif -exclude-dir=internal -exclude-dir=vendor ./...
|
||||||
|
}
|
||||||
|
|
||||||
function usage() {
|
function usage() {
|
||||||
echo "check.sh fmt|lint" >&2
|
echo "check.sh fmt|lint" >&2
|
||||||
exit 2
|
exit 2
|
||||||
|
|
@ -108,10 +118,11 @@ function usage() {
|
||||||
|
|
||||||
case "$1" in
|
case "$1" in
|
||||||
fmtcheck) checkfmt ;;
|
fmtcheck) checkfmt ;;
|
||||||
format) go_format ;;
|
format) goFormat ;;
|
||||||
lint) lint ;;
|
lint) lint ;;
|
||||||
lintDocker) lintDocker ;;
|
lintDocker) lintDocker ;;
|
||||||
unittest) test ;;
|
unittest) unitTest ;;
|
||||||
scan) scanast ;;
|
scan) scan ;;
|
||||||
|
localScan) localScan ;;
|
||||||
*) usage ;;
|
*) usage ;;
|
||||||
esac
|
esac
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue