Skip to content

Commit

Permalink
Enable gosec for static application security testing (#272)
Browse files Browse the repository at this point in the history
* Enable gosec for static application security testing

* Disable internal sast scanning tools in favor of gosec

* Adding report dir

* Add exclude-dirs gardener,hack

* Address review comment

---------

Co-authored-by: Ismail Alidzhikov <[email protected]>
  • Loading branch information
Kostov6 and ialidzhikov authored Nov 15, 2024
1 parent 3749be2 commit c3093b6
Show file tree
Hide file tree
Showing 3 changed files with 30 additions and 2 deletions.
17 changes: 17 additions & 0 deletions .ci/pipeline_definitions
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,13 @@ gardener-extension-registry-cache:
attribute: global.image.tag

base_definition:
repo:
source_labels:
- name: cloud.gardener.cnudie/dso/scanning-hints/source_analysis/v1
value:
policy: skip
comment: |
We use gosec for sast scanning, see attached log.
traits:
version:
preprocess: 'inject-commit-hash'
Expand Down Expand Up @@ -79,6 +86,16 @@ gardener-extension-registry-cache:
nextversion: 'bump_minor'
next_version_callback: '.ci/prepare_release'
release_callback: '.ci/prepare_release'
assets:
- type: build-step-log
step_name: verify
purposes:
- lint
- sast
- gosec
comment: |
We use gosec (linter) for SAST scans, see: https://github.com/securego/gosec.
Enabled by https://github.com/gardener/gardener-extension-registry-cache/pull/272
slack:
default_channel: 'internal_scp_workspace'
channel_cfgs:
Expand Down
3 changes: 3 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -23,3 +23,6 @@ TODO
.go-version

/gardener

# gosec
gosec-report.sarif
12 changes: 10 additions & 2 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,14 @@ generate-in-docker:
format: $(GOIMPORTS) $(GOIMPORTSREVISER)
@bash $(GARDENER_HACK_DIR)/format.sh ./cmd ./pkg ./test

.PHONY: sast
sast: $(GOSEC)
@bash $(GARDENER_HACK_DIR)/sast.sh --exclude-dirs hack,gardener

.PHONY: sast-report
sast-report: $(GOSEC)
@bash $(GARDENER_HACK_DIR)/sast.sh --exclude-dirs hack,gardener --gosec-report true

.PHONY: test
test:
@bash $(GARDENER_HACK_DIR)/test.sh ./cmd/... ./pkg/...
Expand All @@ -103,10 +111,10 @@ test-clean:
@bash $(GARDENER_HACK_DIR)/test-cover-clean.sh

.PHONY: verify
verify: check format test
verify: check format test sast

.PHONY: verify-extended
verify-extended: check-generate check format test-cov test-clean
verify-extended: check-generate check format test-cov test-clean sast-report

test-e2e-local: $(GINKGO)
./hack/test-e2e-local.sh --procs=$(PARALLEL_E2E_TESTS) ./test/e2e/...
Expand Down

0 comments on commit c3093b6

Please sign in to comment.