add security scan

.github/workflows/vmware-go-kcl-v2-ci.yml

@@ -10,39 +10,59 @@ on:
 
 jobs:
   build:
-    name: Build
+    name: Continous Integration
     runs-on: ubuntu-latest
     steps:
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v2
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v2
 
-    - name: Set up Go 1.17.x
-      uses: actions/setup-go@v2
-      with:
-        go-version: ^1.17
-      id: go
+      - name: Set up Go 1.17.x
+        uses: actions/setup-go@v2
+        with:
+          go-version: ^1.17
+        id: go
 
-    - name: Build
-      shell: bash
-      run: |
-        make build
+      - name: Build
+        shell: bash
+        run: |
+          make build
 
-#    - name: Test
-#      shell: bash
-#      run: |
-#        make test
+  #    - name: Test
+  #      shell: bash
+  #      run: |
+  #        make test
 
-    - name: Format Check
-      shell: bash
-      run: |
-        make format-check
+  scans:
+    name: Checks, Lints and Scans
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v2
 
-    - name: Lint
-      shell: bash
-      run: |
-        make lint-docker
+      - name: Set up Go 1.17.x
+        uses: actions/setup-go@v2
+        with:
+          go-version: ^1.17
+        id: go
 
-    - name: Scan
-      shell: bash
-      run: |
-        make scan
+      - name: Format Check
+        shell: bash
+        run: |
+          make format-check
+
+      - name: Lint
+        shell: bash
+        run: |
+          make lint-docker
+
+      - name: Run Gosec Security Scanner
+        uses: securego/gosec@master
+        with:
+          # let the report trigger content trigger a failure using the GitHub Security features.
+          args: '-no-fail -fmt sarif -out results.sarif -exclude-dir internal -exclude-dir vendor -severity high ./...'
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          # path to SARIF file relative to the root of the repository
+          sarif_file: results.sarif

.gitignore

@@ -23,3 +23,4 @@ filenames
 
 .DS_Store
 .scannerwork/
+*.sarif

Makefile

@@ -40,6 +40,10 @@ integration-test: ## - execute go test command for integration tests (aws creden
 scan: ## - execute static code analysis
 	@ ./_support/scripts/ci.sh scan
 
+.PHONY: local-scan
+local-scan: ## - execute static code analysis locally
+	@ ./_support/scripts/ci.sh localScan
+
 .PHONY: lint
 lint: ## - runs golangci-lint
 	@ ./_support/scripts/ci.sh lint

_support/scripts/ci.sh

@@ -23,7 +23,7 @@ function checkfmt() {
     fi
 }
 
-function go_format() {
+function goFormat() {
     echo "go formatting..."
     gofmt -w ./
     echo "done"
@@ -52,7 +52,7 @@ function lintDocker() {
                                                         --verbose
 }
 
-function test() {
+function unitTest() {
   	go list ./... | grep -v /test | \
    	xargs -L 1 -I% bash -c 'echo -e "\n**************** Package: % ****************" && go test % -v -cover -race ./...'
 }
@@ -101,6 +101,16 @@ function scanast() {
     rm -f security.log
 }
 
+function Scan() {
+    gosec -fmt=sarif -out=results.sarif -exclude-dir=internal -exclude-dir=vendor -severity=high ./...
+}
+
+function localScan() {
+    # you can use the vs code plugin https://marketplace.visualstudio.com/items?itemName=MS-SarifVSCode.sarif-viewer
+    # to navigate against the issues
+    gosec -fmt=sarif -out=results.sarif -exclude-dir=internal -exclude-dir=vendor ./...
+}
+
 function usage() {
     echo "check.sh fmt|lint" >&2
     exit 2
@@ -108,10 +118,11 @@ function usage() {
 
 case "$1" in
     fmtcheck) checkfmt ;;
-    format) go_format ;;
+    format) goFormat ;;
     lint) lint ;;
     lintDocker) lintDocker ;;
-    unittest) test ;;
-    scan) scanast ;;
+    unittest) unitTest ;;
+    scan) scan ;;
+    localScan) localScan ;;
     *) usage ;;
 esac