-
Notifications
You must be signed in to change notification settings - Fork 19
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add gosec gh action #154
Add gosec gh action #154
Conversation
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
/test presubmit-nephio-go-test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/approve
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: efiacor, liamfallon The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Sync gh action gosec version with make file version
uses: securego/[email protected] | ||
with: | ||
# we let the report trigger content trigger a failure using the GitHub Security features. | ||
args: '-no-fail -exclude-dir=generated -exclude-dir=test -exclude-generated=true -fmt=sarif -out=results.sarif ./...' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
suggestion: Would it be a good idea to add a step to invoke the target in the makefile as well such as below to ensure consistency?
args: '-no-fail -exclude-dir=generated -exclude-dir=test -exclude-generated=true -fmt=sarif -out=results.sarif ./...' | |
- name: Run Gosec Security Scanner using the makefile target | |
run: | |
make gosec GOSEC_VER=v2.21.4 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm hesitant to go back to calling the make targets from the gh actions. Make is a build tool really.
If we try to keep the versions in sync I would prefer that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I had hoped to be able to pass in a config file with the gosec version etc but it seems it doesn't support it.
https://github.com/securego/gosec?tab=readme-ov-file#configuration
I think for now we can go with duplicated versions and look to replace the make files with something more suitable.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm hesitant to go back to calling the make targets from the gh actions. Make is a build tool really. If we try to keep the versions in sync I would prefer that.
Keeping the versions in sync should definitely be a good goal. For now, we can merge the PR the way it is and add calling the makefile as well at a later time.
/test presubmit-nephio-go-test |
Clean up rebase error
/lgtm |
/lgtm |
It seems that any github action PRs must be merged manually. |
/test presubmit-nephio-go-test |
Adding a gh action to run gosec scans on PRs. Non blocking presubmit job will be enabled once all issues are resolved.
Update the existing gosec make target "make gosec" to align with the gh action verison