New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
976 - Introduce Security Scans for Go Packages #1053
Conversation
2fe89c9
to
adb87d1
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks great, thanks :D
Looking at the pipeline in blueocean, it struck me that the scanners (secretless image, go packages) could be parallelised as neither depends on the result of the other. That also groups them into a higher level security stage.
I noticed in the log that the xml doc is empty (apart from the xml declaration), is that the expected behaviour when there are no issues? Have you introduced a deliberate security issue to check it shows up in the Jenkins Test Results view?
@hughsaunders Thanks for the review! Addressing your comments in order:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking forward to getting this integrated :) left a few comments - I think this could be simplified a bit by combining the scripts and the naming could be clearer
It would also be nice to clean up the pipeline stages for the tests in the Jenkinsfile - they're a little inconsistently labeled right now and it looks odd in blue ocean. But that's optional.
Jenkinsfile
Outdated
@@ -31,6 +31,13 @@ pipeline { | |||
} | |||
} | |||
|
|||
stage('Scan Go Packages') { | |||
steps { | |||
sh "./bin/build_security_scan -s High -c 'Medium' -b ${env.BRANCH_NAME}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can the filename be changed to run_gosec
or similar? It would be clearer what it's actually doing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking at the other bin/ files, it looks like we use the 'check_' format for file names. So for golint, it's check_style. How about for this we use 'check_security'?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is it your intention that the file becomes a general script to run security checks, so that when we have another we'd like to run we also do it from this file?
I'm still not sure I like check_security
- security means a lot of different things to different people, so if we can find a way to be more clear I think that'd be good
bin/security_scan
Outdated
echo "directories regardless of what has been modified locally." | ||
echo " " | ||
echo "Format:" | ||
echo "security_scan [arguments]" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can this be integrated into the other file? I'm not sure I see the need for two separate files in bin to run this. If I'm missing something, please lmk
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since we wanted to run it within a docker container, I thought it would be easiest to have two separate files. I'm not very familiar with bash, but I assume that's the easiest way to run a large script like this inside a docker run command? Also, I thought it would be useful to have the script be able to run without using a docker container.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok, so there are two scripts because one is meant to be run in a docker container (which docker container?) and the other one actually runs the the container?
I feel like there might be some patterns for how to name and organize these that would make their intended use more clear, but I'm not close enough to the code lately to remember exactly what to point you to. @sgnn7 @jonahx do you have any examples of how we've done something like this in other cases? in particular, I'm concerned that if I look at the bin/
dir, it's not going to be obvious which script I should run to do a gosec
scan if we have two with similar names. I don't think this is the first time we've had to think about something like this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Currently I have them named as such:
- check_security: performs the gosec scan with whatever parameters you need
- run_check_security: creates a docker container with secretless mounted as a volume, and runs check_security on the volume
run_gosec_container may be clearer for the second one, and maybe something like run_gosec for the first?
003aead
to
b5fb744
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@BradleyBoutcher just some minor nits
f49d4ed
to
4e6ba7a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good. Just a couple of minor suggestions.
Comments addressed
c3d9105
to
75053ab
Compare
75053ab
to
af26632
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@BradleyBoutcher what do you think about check_golang_security
for the one that runs in the pipeline and run_gosec
for the local runner? those still sound similar enough, though - each script should have comments at the top of the file or usage instructions that are clear about the purpose of each file
c7515d0
to
7eec834
Compare
A new bash script which runs gosec on our packages We only flag issues of high severity with 'medium' or 'high' confidence by Gosec Gosec only scans directories modified by checking the Git diff first. If the branch is master, it scans the entire project. This way we save time in our pipeline while developing. Finally, the reports are exported as xml and parsed using Junit.
38bf4e2
to
aacac91
Compare
@@ -0,0 +1,69 @@ | |||
#!/usr/bin/env bash |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
as a follow-on to this PR, does it make sense to include this as a bash-lib script? cc @hughsaunders
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
What does this PR do (include background context, if relevant)?
A new bash script which runs gosec on our packages
We only flag issues of high severity with 'medium' or 'high' confidence by Gosec
Gosec only scans directories modified by checking the Git diff first. If the branch is master, it scans the entire project. This way we save time in our pipeline while developing.
Finally, the reports are exported as xml and parsed using Junit.
What ticket does this PR close?
Connected to #976 and #988
Where should the reviewer start?
bin/build_security_scan
What is the status of the manual tests?
NA
Links to open issues for related automated integration and unit tests
NA
Links to open issues for related documentation (in READMEs, docs, etc)
NA