-
Notifications
You must be signed in to change notification settings - Fork 42
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1053 from cyberark/976-security-scan
976 - Introduce Security Scans for Go Packages
- Loading branch information
Showing
3 changed files
with
118 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
#!/bin/bash | ||
|
||
# This script creates a docker container with | ||
# secretless mounted as a volume, and runs the | ||
# gosec security check script within this container | ||
|
||
set -eo pipefail | ||
|
||
current_dir=$("$(dirname "$0")/abspath") | ||
toplevel_dir="$current_dir/.." | ||
|
||
# Default values to pass to security_scan | ||
confidence='medium' | ||
severity='high' | ||
current_branch='master' | ||
|
||
while getopts 'b:c:s:' flag; do | ||
case "${flag}" in | ||
b) current_branch="${OPTARG}" ;; | ||
c) confidence="${OPTARG}" ;; | ||
s) severity="${OPTARG}" ;; | ||
esac | ||
done | ||
|
||
# Exclude test files | ||
excluded_directories=${toplevel_dir}/test | ||
|
||
# gosec => Scans go packages and flags security vulnerabilities | ||
docker run --rm \ | ||
-v "$toplevel_dir/:/secretless/" \ | ||
secretless-dev \ | ||
bash -exc " | ||
go get github.com/securego/gosec/cmd/gosec | ||
./bin/run_gosec -c ${confidence} -s ${severity} -b ${current_branch} -e ${excluded_directories} | ||
" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,69 @@ | ||
#!/usr/bin/env bash | ||
|
||
set -eo pipefail | ||
|
||
# This script can run independently of secretless | ||
# i.e. in any given local repository | ||
# | ||
# Performs a gosec scan with given parameters on | ||
# the entire local repository (in the case of master branch) | ||
# or on just files modified, as detected in the git diff. | ||
|
||
print_usage() { | ||
echo "Security Scanner" | ||
echo | ||
echo "Description:" | ||
echo "Runs gosec on directories which git detects and marks in the diff." | ||
echo "If the branch is detected as 'master', it will scan all" | ||
echo "directories regardless of what has been modified locally." | ||
echo | ||
echo "Format:" | ||
echo "security_scan [arguments]" | ||
echo | ||
echo "Options:" | ||
echo "-h Show help" | ||
echo "-c Specify the minimum confidence gosec needs to report an issue." | ||
echo "-s Specify the minimum severity gosec needs to report an issue" | ||
echo "-b Specify the github branch to compare against master" | ||
exit 0 | ||
} | ||
|
||
# Default values for gosec | ||
confidence='medium' | ||
severity='high' | ||
current_branch='' | ||
excluded_directories='' | ||
|
||
while getopts 'b:c:e:s:h' flag; do | ||
case "${flag}" in | ||
b) current_branch="${OPTARG}" ;; | ||
e) excluded_directories="${OPTARG}" ;; | ||
c) confidence="${OPTARG}" ;; | ||
s) severity="${OPTARG}" ;; | ||
h) print_usage ;; | ||
*) print_usage ;; | ||
esac | ||
done | ||
|
||
# If we are on master, scan the entire repository | ||
modified_directories="./..." | ||
|
||
# Get an array of directories containing modified files | ||
if [[ ${current_branch} != 'master' ]]; then | ||
git fetch origin master:refs/remotes/origin/master | ||
modified_directories=($(git diff origin/master...origin/"${current_branch}" --name-only | xargs -L1 dirname | uniq)) | ||
fi | ||
|
||
# Remove output file just in case it exists | ||
rm -f "gosec.output" | ||
|
||
# Run our scan, flagging only 'high' level issues with 'medium' or higher severity | ||
gosec -fmt=junit-xml \ | ||
-out=gosec.output \ | ||
-severity="${severity}" \ | ||
-confidence="${confidence}" \ | ||
-exclude-dir="${excluded_directories}" \ | ||
"${modified_directories[@]}" | ||
|
||
# Display output of gosec | ||
cat gosec.output |