[2/2] Add Security workflows: GoSec scan workflow

[amanbrar1999]

Motivation

Related to #1922 and issue open-telemetry/oteps#144

GoSec is a static analysis engine which scans go source code for security vulnerabilities. As the project grows and we near GA it might be useful to have a workflow which checks for security vulnerabilities so we can ensure every incremental change is following best development practices. Also passing basic security checks will also make sure that there aren't any glaring issues for our users.

Changes

This PR adds GoSec security checks to the repo

Workflow Triggers

• daily cron job at 2:30am
• workflow_dispatch (in case maintainers want to trigger a security check manually)

cc- @alolita

[codecov]

Codecov Report

Merging #1923 (2f4016a) into master (c7d7acd) will decrease coverage by 0.00%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##           master    #1923      +/-   ##
==========================================
- Coverage   89.95%   89.95%   -0.01%     
==========================================
  Files         381      381              
  Lines       18519    18519              
==========================================
- Hits        16659    16658       -1     
- Misses       1390     1391       +1     
  Partials      470      470              

Flag	Coverage Δ
integration	69.82% <ø> (ø)
unit	88.67% <ø> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
processor/groupbytraceprocessor/event.go	95.96% <0.00%> (-0.81%)	⬇️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update c7d7acd...2f4016a. Read the comment docs.

[bogdandrutu]

Why not running this for every PR?

[amanbrar1999]

I didn’t want it to be a blocker for development for now. This workflow fails when it finds potential issues, some of which may also be false positives. Right now there are a lot of issues that it flags so it would always be failing.

[bogdandrutu]

I think we need to start fixing the issues, otherwise this will be useless. We do have it enabled in the core collector and was not that hard :)

[amanbrar1999]

Where is it enabled in the core collector? I opened this same PR in the core collector repo because I thought it did not exist already. Even in the core collector this GoSec workflow fails because of many issues.

I will also create a new issue to fix GoSec issues if this PR gets merged. I think it would be best to fix the initial set of issues in a separate PR and then enable this for every future PR.

[bogdandrutu]

https://github.com/open-telemetry/opentelemetry-collector/blob/d885cb20e11c5b8c9dafa3251b2591cc8f1f8c82/.golangci.yml

[amanbrar1999]

@bogdandrutu looks like we restricted gosec to a very small set of rules in the core collector, whereas this workflow uses all rules, hence why I saw many more errors. I will follow up and update this to run the same rules at the core collector and run on PR builds as well

[bogdandrutu]

small set of rules in the core collector

We disable only 2 rules "G402" and "G404" :)

[amanbrar1999]

Ah nevermind, I thought those were the only 2 being used

[bogdandrutu]

Please start fixing problems if you want, see #1955 that enables always gosec

[bogdandrutu]

I am going to close this PR since #1955 enables always and also fixed bunch of errors.