Add gosec gh action #154
Add gosec gh action #154
Conversation
efiacor
requested review from
radoslawc,
kispaljr,
kushnaidu,
Catalin-Stratulat-Ericsson and
JamesMcDermott
and removed request for
s3wong
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
|
/test presubmit-nephio-go-test |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: efiacor, liamfallon The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Sync gh action gosec version with make file version
| uses: securego/gosec@v2.21.4 | ||
| with: | ||
| # we let the report trigger content trigger a failure using the GitHub Security features. | ||
| args: '-no-fail -exclude-dir=generated -exclude-dir=test -exclude-generated=true -fmt=sarif -out=results.sarif ./...' |
There was a problem hiding this comment.
suggestion: Would it be a good idea to add a step to invoke the target in the makefile as well such as below to ensure consistency?
| args: '-no-fail -exclude-dir=generated -exclude-dir=test -exclude-generated=true -fmt=sarif -out=results.sarif ./...' | |
| - name: Run Gosec Security Scanner using the makefile target | |
| run: | |
| make gosec GOSEC_VER=v2.21.4 |
There was a problem hiding this comment.
I'm hesitant to go back to calling the make targets from the gh actions. Make is a build tool really.
If we try to keep the versions in sync I would prefer that.
There was a problem hiding this comment.
I had hoped to be able to pass in a config file with the gosec version etc but it seems it doesn't support it.
https://github.com/securego/gosec?tab=readme-ov-file#configuration
I think for now we can go with duplicated versions and look to replace the make files with something more suitable.
There was a problem hiding this comment.
I'm hesitant to go back to calling the make targets from the gh actions. Make is a build tool really. If we try to keep the versions in sync I would prefer that.
Keeping the versions in sync should definitely be a good goal. For now, we can merge the PR the way it is and add calling the makefile as well at a later time.
|
/test presubmit-nephio-go-test |
Clean up rebase error
|
/lgtm |
|
/lgtm |
|
It seems that any github action PRs must be merged manually. |
|
/test presubmit-nephio-go-test |
Adding a gh action to run gosec scans on PRs. Non blocking presubmit job will be enabled once all issues are resolved.
Update the existing gosec make target "make gosec" to align with the gh action verison