-
Notifications
You must be signed in to change notification settings - Fork 42
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
\976 - Introduce Security Scans for Go Packages
A new bash script which runs gosec on our packages We only flag issues of high severity with 'medium' or 'high' confidence by Gosec Gosec only scans directories modified by checking the Git diff first. If the branch is master, it scans the entire project. This way we save time in our pipeline while developing. Finally, the reports are exported as xml and parsed using Junit.
- Loading branch information
1 parent
06f6447
commit 4e6ba7a
Showing
3 changed files
with
109 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,67 @@ | ||
#!/usr/bin/env bash | ||
|
||
set -eo pipefail | ||
|
||
print_usage() { | ||
echo "Security Scanner" | ||
echo " " | ||
echo "Description:" | ||
echo "Runs gosec on directories which git detects and marks in the diff." | ||
echo "If the branch is detected as 'master', it will scan all" | ||
echo "directories regardless of what has been modified locally." | ||
echo " " | ||
echo "Format:" | ||
echo "security_scan [arguments]" | ||
echo " " | ||
echo "Options:" | ||
echo "-h, --help Show help" | ||
echo "-c Specify the minimum confidence gosec needs to report an issue." | ||
echo "-s Specify the minimum severity gosec needs to report an issue" | ||
exit 0 | ||
} | ||
|
||
# Default values for gosec | ||
confidence='medium' | ||
severity='high' | ||
current_branch='' | ||
|
||
while getopts 'b:c:s:h' flag; do | ||
case "${flag}" in | ||
b) current_branch="${OPTARG}" ;; | ||
c) confidence="${OPTARG}" ;; | ||
s) severity="${OPTARG}" ;; | ||
h) print_usage ;; | ||
*) print_usage ;; | ||
esac | ||
done | ||
|
||
# This script is designed to be ran within the Secretless-Broker repository, | ||
# to use elsewhere, you will need to change this. | ||
current_dir=$("$(dirname "$0")/abspath") | ||
toplevel_dir="$current_dir/.." | ||
|
||
# If we are on master, scan the entire repository | ||
modified_directories="./..." | ||
|
||
# Get an array of directories containing modified files | ||
if [[ ${current_branch} != 'master' ]]; then | ||
git fetch origin master:refs/remotes/origin/master | ||
modified_directories=$(git diff origin/master...origin/"${current_branch}" --name-only | xargs -L1 dirname | uniq) | ||
fi | ||
|
||
# Exclude test files | ||
test_dir=${toplevel_dir}/test | ||
|
||
# Reset output file just in case it exists | ||
rm -f "gosec.output" | ||
|
||
# Run our scan, flagging only 'high' level issues with 'medium' or higher severity | ||
gosec -fmt=junit-xml \ | ||
-out=gosec.output \ | ||
-severity="${severity}" \ | ||
-confidence="${confidence}" \ | ||
-exclude-dir="${test_dir}" \ | ||
$modified_directories | ||
|
||
# Display output of gosec | ||
cat gosec.output |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
#!/bin/bash | ||
|
||
set -eo pipefail | ||
|
||
current_dir=$("$(dirname "$0")/abspath") | ||
toplevel_dir="$current_dir/.." | ||
|
||
# Default values to pass to security_scan | ||
confidence='medium' | ||
severity='high' | ||
current_branch='master' | ||
|
||
while getopts 'b:c:s:' flag; do | ||
case "${flag}" in | ||
b) current_branch="${OPTARG}" ;; | ||
c) confidence="${OPTARG}" ;; | ||
s) severity="${OPTARG}" ;; | ||
esac | ||
done | ||
|
||
# gosec => Scans go packages and flags security vulnerabilities | ||
docker run --rm \ | ||
-v "$toplevel_dir/:/secretless/" \ | ||
secretless-dev \ | ||
bash -exc " | ||
go get github.com/securego/gosec/cmd/gosec | ||
./bin/check_security -c ${confidence} -s ${severity} -b ${current_branch} | ||
" |