Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add gosec gh action #154

Open
wants to merge 4 commits into
base: main
Choose a base branch
from

Conversation

efiacor
Copy link
Collaborator

@efiacor efiacor commented Dec 6, 2024

Adding a gh action to run gosec scans on PRs. Non blocking presubmit job will be enabled once all issues are resolved.
Update the existing gosec make target "make gosec" to align with the gh action verison

@github-advanced-security
Copy link

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

@Catalin-Stratulat-Ericsson
Copy link
Contributor

/test presubmit-nephio-go-test

Copy link
Member

@liamfallon liamfallon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

Copy link
Contributor

nephio-prow bot commented Dec 9, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: efiacor, liamfallon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Sync gh action gosec version with make file version
uses: securego/gosec@v2.21.4
with:
# we let the report trigger content trigger a failure using the GitHub Security features.
args: '-no-fail -exclude-dir=generated -exclude-dir=test -exclude-generated=true -fmt=sarif -out=results.sarif ./...'

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion: Would it be a good idea to add a step to invoke the target in the makefile as well such as below to ensure consistency?

Suggested change
args: '-no-fail -exclude-dir=generated -exclude-dir=test -exclude-generated=true -fmt=sarif -out=results.sarif ./...'
- name: Run Gosec Security Scanner using the makefile target
run:
make gosec GOSEC_VER=v2.21.4

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm hesitant to go back to calling the make targets from the gh actions. Make is a build tool really.
If we try to keep the versions in sync I would prefer that.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I had hoped to be able to pass in a config file with the gosec version etc but it seems it doesn't support it.
https://github.com/securego/gosec?tab=readme-ov-file#configuration
I think for now we can go with duplicated versions and look to replace the make files with something more suitable.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm hesitant to go back to calling the make targets from the gh actions. Make is a build tool really. If we try to keep the versions in sync I would prefer that.

Keeping the versions in sync should definitely be a good goal. For now, we can merge the PR the way it is and add calling the makefile as well at a later time.

@efiacor
Copy link
Collaborator Author

efiacor commented Dec 12, 2024

/test presubmit-nephio-go-test

Clean up rebase error
@kispaljr
Copy link
Collaborator

/lgtm

@vjayaramrh
Copy link

/lgtm

@liamfallon
Copy link
Member

It seems that any github action PRs must be merged manually.

@liamfallon
Copy link
Member

/test presubmit-nephio-go-test

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants