-
Notifications
You must be signed in to change notification settings - Fork 42
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
976 - Introduce Security Scans for Go Packages
A new bash script which runs gosec on our packages We only flag issues of high severity with 'medium' or 'high' confidence by Gosec Gosec only scans directories modified by checking the Git diff first. If the branch is master, it scans the entire project. This way we save time in our pipeline while developing. Finally, the reports are exported as xml and parsed using Junit.
- Loading branch information
1 parent
06f6447
commit 7eec834
Showing
3 changed files
with
118 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,69 @@ | ||
#!/usr/bin/env bash | ||
|
||
set -eo pipefail | ||
|
||
# This script can run independently of secretless | ||
# i.e. in any given local repository | ||
# | ||
# Performs a gosec scan with given parameters on | ||
# the entire local repository (in the case of master branch) | ||
# or on just files modified, as detected in the git diff. | ||
|
||
print_usage() { | ||
echo "Security Scanner" | ||
echo | ||
echo "Description:" | ||
echo "Runs gosec on directories which git detects and marks in the diff." | ||
echo "If the branch is detected as 'master', it will scan all" | ||
echo "directories regardless of what has been modified locally." | ||
echo | ||
echo "Format:" | ||
echo "security_scan [arguments]" | ||
echo | ||
echo "Options:" | ||
echo "-h Show help" | ||
echo "-c Specify the minimum confidence gosec needs to report an issue." | ||
echo "-s Specify the minimum severity gosec needs to report an issue" | ||
echo "-b Specify the github branch to compare against master" | ||
exit 0 | ||
} | ||
|
||
# Default values for gosec | ||
confidence='medium' | ||
severity='high' | ||
current_branch='' | ||
excluded_directories='' | ||
|
||
while getopts 'b:c:e:s:h' flag; do | ||
case "${flag}" in | ||
b) current_branch="${OPTARG}" ;; | ||
e) excluded_directories="${OPTARG}" ;; | ||
c) confidence="${OPTARG}" ;; | ||
s) severity="${OPTARG}" ;; | ||
h) print_usage ;; | ||
*) print_usage ;; | ||
esac | ||
done | ||
|
||
# If we are on master, scan the entire repository | ||
modified_directories="./..." | ||
|
||
# Get an array of directories containing modified files | ||
if [[ ${current_branch} != 'master' ]]; then | ||
git fetch origin master:refs/remotes/origin/master | ||
modified_directories=($(git diff origin/master...origin/"${current_branch}" --name-only | xargs -L1 dirname | uniq)) | ||
fi | ||
|
||
# Remove output file just in case it exists | ||
rm -f "gosec.output" | ||
|
||
# Run our scan, flagging only 'high' level issues with 'medium' or higher severity | ||
gosec -fmt=junit-xml \ | ||
-out=gosec.output \ | ||
-severity="${severity}" \ | ||
-confidence="${confidence}" \ | ||
-exclude-dir="${excluded_directories}" \ | ||
"${modified_directories[@]}" | ||
|
||
# Display output of gosec | ||
cat gosec.output |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
#!/bin/bash | ||
|
||
# This script creates a docker container with | ||
# secretless mounted as a volume, and runs the | ||
# gosec security check script within this container | ||
|
||
set -eo pipefail | ||
|
||
current_dir=$("$(dirname "$0")/abspath") | ||
toplevel_dir="$current_dir/.." | ||
|
||
# Default values to pass to security_scan | ||
confidence='medium' | ||
severity='high' | ||
current_branch='master' | ||
|
||
while getopts 'b:c:s:' flag; do | ||
case "${flag}" in | ||
b) current_branch="${OPTARG}" ;; | ||
c) confidence="${OPTARG}" ;; | ||
s) severity="${OPTARG}" ;; | ||
esac | ||
done | ||
|
||
# Exclude test files | ||
excluded_directories=${toplevel_dir}/test | ||
|
||
# gosec => Scans go packages and flags security vulnerabilities | ||
docker run --rm \ | ||
-v "$toplevel_dir/:/secretless/" \ | ||
secretless-dev \ | ||
bash -exc " | ||
go get github.com/securego/gosec/cmd/gosec | ||
./bin/check_golang_security -c ${confidence} -s ${severity} -b ${current_branch} -e ${excluded_directories} | ||
" |