976 - Introduce Security Scans for Go Packages

Jenkinsfile

@@ -25,9 +25,20 @@ pipeline {
       }
     }
 
-    stage('Scan Secretless Image') {
-      steps {
-        scanAndReport("secretless-broker:latest", "HIGH")
+    stage('Scan Secretless') {
+      parallel {
+        stage('Scan Secretless Image') {
+          steps {
+            scanAndReport("secretless-broker:latest", "HIGH")
+          }
+        }
+
+        stage('Scan For Security with Gosec') {
+          steps {
+            sh "./bin/check_golang_security -s High -c 'Medium' -b ${env.BRANCH_NAME}"
+            junit(allowEmptyResults: true, testResults: 'gosec.output')
+          }
+        }
       }
     }
 

bin/check_golang_security

@@ -0,0 +1,35 @@
+#!/bin/bash
+
+# This script creates a docker container with 
+# secretless mounted as a volume, and runs the 
+# gosec security check script within this container
+
+set -eo pipefail
+
+current_dir=$("$(dirname "$0")/abspath")
+toplevel_dir="$current_dir/.."
+
+# Default values to pass to security_scan
+confidence='medium'
+severity='high'
+current_branch='master'
+
+while getopts 'b:c:s:' flag; do
+  case "${flag}" in
+    b) current_branch="${OPTARG}" ;;
+    c) confidence="${OPTARG}" ;;
+    s) severity="${OPTARG}" ;;
+  esac
+done
+
+# Exclude test files
+excluded_directories=${toplevel_dir}/test
+
+# gosec => Scans go packages and flags security vulnerabilities
+docker run --rm \
+    -v "$toplevel_dir/:/secretless/" \
+    secretless-dev \
+    bash -exc "
+      go get github.com/securego/gosec/cmd/gosec
+      ./bin/run_gosec -c ${confidence} -s ${severity} -b ${current_branch} -e ${excluded_directories}
+    "

bin/run_gosec

@@ -0,0 +1,69 @@
+#!/usr/bin/env bash
+
+set -eo pipefail
+
+# This script can run independently of secretless
+# i.e. in any given local repository
+#
+# Performs a gosec scan with given parameters on 
+# the entire local repository (in the case of master branch)
+# or on just files modified, as detected in the git diff.
+
+print_usage() {
+    echo "Security Scanner"
+    echo 
+    echo "Description:"
+    echo "Runs gosec on directories which git detects and marks in the diff."
+    echo "If the branch is detected as 'master', it will scan all"
+    echo "directories regardless of what has been modified locally."
+    echo 
+    echo "Format:"
+    echo "security_scan [arguments]"
+    echo 
+    echo "Options:"
+    echo "-h                        Show help"
+    echo "-c                        Specify the minimum confidence gosec needs to report an issue."
+    echo "-s                        Specify the minimum severity gosec needs to report an issue"
+    echo "-b                        Specify the github branch to compare against master"
+    exit 0
+}
+
+# Default values for gosec
+confidence='medium'
+severity='high'
+current_branch=''
+excluded_directories=''
+
+while getopts 'b:c:e:s:h' flag; do
+  case "${flag}" in
+    b) current_branch="${OPTARG}" ;;
+    e) excluded_directories="${OPTARG}" ;;
+    c) confidence="${OPTARG}" ;;
+    s) severity="${OPTARG}" ;;
+    h) print_usage ;;
+    *) print_usage ;;
+  esac
+done
+
+# If we are on master, scan the entire repository
+modified_directories="./..."
+
+# Get an array of directories containing modified files
+if [[ ${current_branch} != 'master' ]]; then 
+    git fetch origin master:refs/remotes/origin/master
+    modified_directories=($(git diff origin/master...origin/"${current_branch}" --name-only | xargs -L1 dirname | uniq))
+fi
+
+# Remove output file just in case it exists
+rm -f "gosec.output" 
+
+# Run our scan, flagging only 'high' level issues with 'medium' or higher severity
+gosec -fmt=junit-xml \
+    -out=gosec.output \
+    -severity="${severity}" \
+    -confidence="${confidence}" \
+    -exclude-dir="${excluded_directories}" \
+    "${modified_directories[@]}"
+
+# Display output of gosec
+cat gosec.output