-
Notifications
You must be signed in to change notification settings - Fork 25
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Finalized pending ADRs + security enhancements #1127
Merged
Merged
Changes from all commits
Commits
Show all changes
3 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -80,4 +80,3 @@ You can view the ADRs by browsing this following list: | |
{{ adrs() }} | ||
|
||
{{ edit() }} | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -83,4 +83,3 @@ You can view the ADRs by browsing this following list: | |
{{ adrs() }} | ||
|
||
{{ edit() }} | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -13,40 +13,99 @@ title = "ADR-0013: Scan the Codebase for Vulnerabilities and Code Smells Regular | |
weight = 13 | ||
+++ | ||
|
||
- Status: draft | ||
- Date: 2024-05-12 | ||
- Status: accepted | ||
- Date: 2024-09-02 | ||
- Tags: security, static-analysis, quality | ||
|
||
## Context and Problem Statement | ||
|
||
As our software project grows in complexity and scale, the risk of introducing | ||
security vulnerabilities and code smells increases. Currently, our codebase | ||
lacks a consistent and systematic approach to identifying these issues early | ||
in the development cycle, leading to higher maintenance costs and potential | ||
As our software project grows in complexity and scale, the risk of introducing | ||
security vulnerabilities and code smells increases. Currently, our codebase | ||
lacks a consistent and systematic approach to identifying these issues early | ||
in the development cycle, leading to higher maintenance costs and potential | ||
security breaches in production. | ||
|
||
This ADR is in a draft state, we will update it with a selection of tools and | ||
processes to scan the codebase for vulnerabilities and code smells regularly. | ||
|
||
## Decision Drivers | ||
|
||
- TBD | ||
- Improve code quality and security | ||
- Detect potential vulnerabilities early in the development process | ||
- Ensure consistent code analysis across the project | ||
- Integrate seamlessly with existing CI/CD pipelines | ||
|
||
## Considered Options | ||
|
||
- TBD | ||
1. Use `go vet` and `govulncheck` | ||
2. Use `go vet`, `govulncheck`, and Snyk | ||
3. Use `go vet`, `govulncheck`, `codesweep`, and `gosec` | ||
4. Use `go vet`, `govulncheck`, Snyk, and `golangci-lint` | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Thanks for the |
||
5. Maintain status quo (no regular scanning) | ||
|
||
## Decision Outcome | ||
|
||
TBD. | ||
Chosen option: "Use go vet, govulncheck, Snyk, and golangci-lint", because this | ||
combination of tools provides a comprehensive set of tools for code analysis, | ||
vulnerability detection, and security monitoring while also including a | ||
powerful linter for Go code. | ||
|
||
### Implementation Details | ||
|
||
1. `go vet`: | ||
- Run `go vet ./...` as part of the CI/CD pipeline to catch common coding | ||
mistakes. | ||
- Before release: Manually run `go vet ./...` and review results. | ||
|
||
2. `govulncheck`: | ||
- Install: `go install golang.org/x/vuln/cmd/govulncheck@latest` | ||
- Run: `govulncheck ./...` in the CI/CD pipeline to check for known | ||
vulnerabilities. | ||
- Before release: Manually run `govulncheck ./...` and review results. | ||
|
||
3. Snyk: | ||
- Install Snyk CLI: `npm install -g snyk` | ||
- Navigate to the project directory: `cd $WORKSPACE/secrets-manager` | ||
- Authenticate (if not already done): `snyk auth` | ||
- Run: `snyk monitor` in the CI/CD pipeline. | ||
- Before release: Manually run `snyk test` and review results. | ||
- Monitor projects on https://app.snyk.io/org/$username/projects | ||
(replace $username with your actual username) | ||
|
||
4. `golangci-lint`: | ||
- Install `golangci-lint` by following the official documentation | ||
- Create a configuration file `.golangci.yml` in the project root with | ||
desired linters and settings. | ||
- Run: `golangci-lint run` before every release cut and review results. | ||
|
||
5. Pre-release manual check: | ||
- Before cutting a release, a designated team member should run all the above | ||
commands manually and review the results. | ||
- Any new vulnerabilities or issues found should be addressed before proceeding | ||
with the release. | ||
- Document the results of this manual check in the release notes. | ||
|
||
### Positive Consequences | ||
|
||
- TBD | ||
- Early detection of potential vulnerabilities and code smells | ||
- Improved overall code quality and security | ||
- Consistent code analysis across the project | ||
- Comprehensive linting with `golangci-lint` catches a wide range of issues | ||
|
||
### Negative Consequences | ||
|
||
- TBD | ||
- Slight increase in release preparation time due to additional scanning steps | ||
during release cuts | ||
- Potential false positives that may require manual review | ||
- Initial setup time for configuring `golangci-lint` | ||
|
||
## Additional Notes | ||
|
||
- Consider implementing codesweep and gosec in the future if more comprehensive | ||
static analysis is needed. | ||
- Regularly review and update the scanning tools to ensure they remain effective | ||
and relevant. | ||
- Provide documentation and training on how to interpret and act on the results | ||
of these scans. | ||
- Periodically review and update the `.golangci.yml` configuration to ensure it | ||
aligns with project needs and best practices. | ||
|
||
<p> </p> | ||
<p> </p> | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -103,4 +103,3 @@ You can view the ADRs by browsing this following list: | |
{{ adrs() }} | ||
|
||
{{ edit() }} | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -118,4 +118,3 @@ You can view the ADRs by browsing this following list: | |
{{ adrs() }} | ||
|
||
{{ edit() }} | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -125,4 +125,3 @@ You can view the ADRs by browsing this following list: | |
{{ adrs() }} | ||
|
||
{{ edit() }} | ||
|
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
having a mutex as a member of struct was raising a
go vet
warning.