diff --git a/.ci/pipeline_definitions b/.ci/pipeline_definitions index 890cf7b0..371f8a54 100644 --- a/.ci/pipeline_definitions +++ b/.ci/pipeline_definitions @@ -1,5 +1,12 @@ machine-controller-manager-provider-gcp: base_definition: + repo: + source_labels: + - name: cloud.gardener.cnudie/dso/scanning-hints/source_analysis/v1 + value: + policy: skip + comment: | + we use gosec for sast scanning. See attached log. traits: version: inject_effective_version: true @@ -67,6 +74,16 @@ machine-controller-manager-provider-gcp: ocm_repository: europe-docker.pkg.dev/gardener-project/releases release: nextversion: 'bump_minor' + assets: + - type: build-step-log + step_name: check + purposes: + - lint + - sast + - gosec + comment: | + we use gosec (linter) for SAST scans + see: https://github.com/securego/gosec publish: dockerimages: <<: *default_images diff --git a/.gitignore b/.gitignore index 24112694..0015144e 100644 --- a/.gitignore +++ b/.gitignore @@ -30,4 +30,4 @@ main cmi-plugin # gosec -gosec-report.sarif \ No newline at end of file +gosec-report.sarif diff --git a/Makefile b/Makefile index 143f3a34..df469469 100644 --- a/Makefile +++ b/Makefile @@ -109,4 +109,4 @@ sast: $(GOSEC) .PHONY: sast-report sast-report: $(GOSEC) - @./hack/sast.sh --gosec-report true \ No newline at end of file + @./hack/sast.sh --gosec-report true diff --git a/hack/sast.sh b/hack/sast.sh index 5cc71087..e1e3a0ae 100755 --- a/hack/sast.sh +++ b/hack/sast.sh @@ -40,4 +40,4 @@ fi # Thus, generated code is excluded from gosec scan. # Nested go modules are not supported by gosec (see https://github.com/securego/gosec/issues/501), so the ./hack folder # is excluded too. It does not contain productive code anyway. -gosec -exclude-generated -exclude-dir=hack $gosec_report_parse_flags ./... \ No newline at end of file +gosec -exclude-generated -exclude-dir=hack $gosec_report_parse_flags ./...