Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable gosec for static application security testing #189

Merged
merged 3 commits into from
Nov 20, 2024

Conversation

Kostov6
Copy link
Collaborator

@Kostov6 Kostov6 commented Oct 29, 2024

How to categorize this PR?

/area compliance
/kind enhancement

What this PR does / why we need it:
This PR enables gosec following gardener/gardener-extension-shoot-lakom-service@0308023 and gardener/gardener-extension-shoot-lakom-service@61d3bd1

fixes #186

Release note:

`gosec` is made available for SAST(static application security testing), it can be run with `make sast` or `make sast-report`, but is also incorporated in the `verify` and `verify-extended` makefile targets. 

@gardener-prow gardener-prow bot added area/compliance Compliance related kind/enhancement Enhancement, improvement, extension labels Oct 29, 2024
@gardener-prow gardener-prow bot added cla: yes Indicates the PR's author has signed the cla-assistant.io CLA. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Oct 29, 2024
hack/sast.sh Outdated
gosec_report_parse_flags="-track-suppressions -fmt=sarif -out=gosec-report.sarif -stdout"
fi

# Gardener uses code-generators https://github.com/kubernetes/code-generator and https://github.com/protocolbuffers/protobuf
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
# Gardener uses code-generators https://github.com/kubernetes/code-generator and https://github.com/protocolbuffers/protobuf
# The shoot-rsyslog-relp extension uses code-generators https://github.com/kubernetes/code-generator and https://github.com/protocolbuffers/protobuf

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: We don't have protobuf in extensions.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But in general instead of copying this script file on make tidy we could call it directly from the hack dir of the Gardener the same way we call other scripts.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm ok to not copy it locally under hacks. I think it was done for other scripts so that they can be conveniently called from the hack directory as there is no make target for them.
Btw, It might be useful to extend the original script under g/g so that additional parameters can be passed to it - e.g. projects that depend on it might have additional directories that they want to exclude.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Btw, It might be useful to extend the original script under g/g so that additional parameters can be passed to it - e.g. projects that depend on it might have additional directories that they want to exclude.

Yep, we also want to exclude the gardener/ dir in the registry-cache repo. Ref gardener/gardener-extension-registry-cache#272 (comment)

@gardener-ci-robot
Copy link

The Gardener project currently lacks enough active contributors to adequately respond to all PRs.
This bot triages PRs according to the following rules:

  • After 15d of inactivity, lifecycle/stale is applied
  • After 15d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 7d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

  • Mark this PR as fresh with /remove-lifecycle stale
  • Mark this PR as rotten with /lifecycle rotten
  • Close this PR with /close

/lifecycle stale

@gardener-prow gardener-prow bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Nov 15, 2024
@ialidzhikov
Copy link
Member

/remove-lifecycle stale

@gardener-prow gardener-prow bot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Nov 15, 2024
@plkokanov
Copy link
Collaborator

Generally /lgtm but we need to merge #196 first

@plkokanov
Copy link
Collaborator

/retest

@plkokanov
Copy link
Collaborator

/lgtm
/approve

@gardener-prow gardener-prow bot added the lgtm Indicates that a PR is ready to be merged. label Nov 20, 2024
Copy link

gardener-prow bot commented Nov 20, 2024

LGTM label has been added.

Git tree hash: 53dab23a8d9354066ca78e92277aafc41a59dfb6

Copy link

gardener-prow bot commented Nov 20, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: plkokanov

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@gardener-prow gardener-prow bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 20, 2024
@gardener-prow gardener-prow bot merged commit 4d74861 into gardener:main Nov 20, 2024
7 checks passed
@Kostov6 Kostov6 deleted the enable-gosec branch November 21, 2024 07:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/compliance Compliance related cla: yes Indicates the PR's author has signed the cla-assistant.io CLA. kind/enhancement Enhancement, improvement, extension lgtm Indicates that a PR is ready to be merged. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Introduce gosec for Static Application Security Testing (SAST)
4 participants