\976 - Introduce Security Scans for Go Packages

A new bash script which runs gosec on our packages

We only flag issues of high severity with 'medium' or 'high' confidence by Gosec
Gosec only scans directories modified by checking the Git diff first. If the branch is master, it scans the entire project. This way we save time in our pipeline while developing.
Finally, the reports are exported as xml and parsed using Junit.

Jenkinsfile

@@ -25,9 +25,20 @@ pipeline {
       }
     }
 
-    stage('Scan Secretless Image') {
-      steps {
-        scanAndReport("secretless-broker:latest", "HIGH")
+    stage('Scan Secretless') {
+      parallel {
+        stage('Scan Secretless Image') {
+          steps {
+            scanAndReport("secretless-broker:latest", "HIGH")
+          }
+        }
+
+        stage('Scan For Security with Gosec') {
+          steps {
+            sh "./bin/run_check_security -s High -c 'Medium' -b ${env.BRANCH_NAME}"
+            junit(allowEmptyResults: true, testResults: 'gosec.output')
+          }
+        }
       }
     }
 

bin/check_security

@@ -0,0 +1,68 @@
+#!/usr/bin/env bash
+
+set -eo pipefail
+
+print_usage() {
+    echo "Security Scanner"
+    echo 
+    echo "Description:"
+    echo "Runs gosec on directories which git detects and marks in the diff."
+    echo "If the branch is detected as 'master', it will scan all"
+    echo "directories regardless of what has been modified locally."
+    echo 
+    echo "Format:"
+    echo "security_scan [arguments]"
+    echo 
+    echo "Options:"
+    echo "-h                        Show help"
+    echo "-c                        Specify the minimum confidence gosec needs to report an issue."
+    echo "-s                        Specify the minimum severity gosec needs to report an issue"
+    echo "-b                        Specify the github branch to compare against master"
+    exit 0
+}
+
+# Default values for gosec
+confidence='medium'
+severity='high'
+current_branch=''
+
+while getopts 'b:c:s:h' flag; do
+  case "${flag}" in
+    b) current_branch="${OPTARG}" ;;
+    c) confidence="${OPTARG}" ;;
+    s) severity="${OPTARG}" ;;
+    h) print_usage ;;
+    *) print_usage ;;
+  esac
+done
+
+# This script is designed to be ran within the Secretless-Broker repository,
+# to use elsewhere, you will need to change this.
+current_dir=$("$(dirname "$0")/abspath")
+toplevel_dir="$current_dir/.."
+
+# If we are on master, scan the entire repository
+modified_directories="./..."
+
+# Get an array of directories containing modified files
+if [[ ${current_branch} != 'master' ]]; then 
+    git fetch origin master:refs/remotes/origin/master
+    modified_directories=($(git diff origin/master..."${current_branch}" --name-only | xargs -L1 dirname | uniq))
+fi
+
+# Exclude test files
+test_dir=${toplevel_dir}/test
+
+# Remove output file just in case it exists
+rm -f "gosec.output" 
+
+# Run our scan, flagging only 'high' level issues with 'medium' or higher severity
+gosec -fmt=junit-xml \
+    -out=gosec.output \
+    -severity="${severity}" \
+    -confidence="${confidence}" \
+    -exclude-dir="${test_dir}" \
+    "${modified_directories[@]}"
+
+# Display output of gosec
+cat gosec.output

bin/run_check_security

@@ -0,0 +1,28 @@
+#!/bin/bash
+
+set -eo pipefail
+
+current_dir=$("$(dirname "$0")/abspath")
+toplevel_dir="$current_dir/.."
+
+# Default values to pass to security_scan
+confidence='medium'
+severity='high'
+current_branch='master'
+
+while getopts 'b:c:s:' flag; do
+  case "${flag}" in
+    b) current_branch="${OPTARG}" ;;
+    c) confidence="${OPTARG}" ;;
+    s) severity="${OPTARG}" ;;
+  esac
+done
+
+# gosec => Scans go packages and flags security vulnerabilities
+docker run --rm \
+    -v "$toplevel_dir/:/secretless/" \
+    secretless-dev \
+    bash -exc "
+      go get github.com/securego/gosec/cmd/gosec
+      ./bin/check_security -c ${confidence} -s ${severity} -b ${current_branch}
+    "