-
Notifications
You must be signed in to change notification settings - Fork 15
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable gosec for static application security testing #189
Conversation
hack/sast.sh
Outdated
gosec_report_parse_flags="-track-suppressions -fmt=sarif -out=gosec-report.sarif -stdout" | ||
fi | ||
|
||
# Gardener uses code-generators https://github.com/kubernetes/code-generator and https://github.com/protocolbuffers/protobuf |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
# Gardener uses code-generators https://github.com/kubernetes/code-generator and https://github.com/protocolbuffers/protobuf | |
# The shoot-rsyslog-relp extension uses code-generators https://github.com/kubernetes/code-generator and https://github.com/protocolbuffers/protobuf |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: We don't have protobuf in extensions.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But in general instead of copying this script file on make tidy
we could call it directly from the hack dir of the Gardener the same way we call other scripts.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm ok to not copy it locally under hacks. I think it was done for other scripts so that they can be conveniently called from the hack directory as there is no make target for them.
Btw, It might be useful to extend the original script under g/g so that additional parameters can be passed to it - e.g. projects that depend on it might have additional directories that they want to exclude.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Btw, It might be useful to extend the original script under g/g so that additional parameters can be passed to it - e.g. projects that depend on it might have additional directories that they want to exclude.
Yep, we also want to exclude the gardener/ dir in the registry-cache repo. Ref gardener/gardener-extension-registry-cache#272 (comment)
The Gardener project currently lacks enough active contributors to adequately respond to all PRs.
You can:
/lifecycle stale |
/remove-lifecycle stale |
Generally /lgtm but we need to merge #196 first |
/retest |
/lgtm |
LGTM label has been added. Git tree hash: 53dab23a8d9354066ca78e92277aafc41a59dfb6
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: plkokanov The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
How to categorize this PR?
/area compliance
/kind enhancement
What this PR does / why we need it:
This PR enables
gosec
following gardener/gardener-extension-shoot-lakom-service@0308023 and gardener/gardener-extension-shoot-lakom-service@61d3bd1fixes #186
Release note: