Skip to content

Enable gosec for SAST scans #165

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
dimityrmirchev merged 3 commits into from
Nov 1, 2024
Merged

Enable gosec for SAST scans #165

dimityrmirchev merged 3 commits into from
Nov 1, 2024

Conversation

@vpnachev
Copy link
Member

@vpnachev vpnachev commented Oct 31, 2024
edited
Loading

What this PR does / why we need it:
Enable gosec for SAST scans

Which issue(s) this PR fixes:
Fixes #164

Special notes for your reviewer:

Release note:

`gosec` is made available for SAST(static application security testing), it can be run with `make sast` or `make sast-report`.

@vpnachev vpnachev requested a review from a team as a code owner October 31, 2024 14:44
@gardener-robot gardener-robot added the needs/review Needs review label Oct 31, 2024
@gardener-robot-ci-2
Copy link
Contributor

gardener-robot-ci-2 commented Oct 31, 2024

This PR proposes changes that would break the pipeline definition:

oidc-webhook-authenticator-enable-sast: Traceback (most recent call last):
  File "/usr/lib/python3.12/site-packages/concourse/replicator.py", line 141, in render
    definition_descriptor = self._render(definition_descriptor)
                            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/concourse/replicator.py", line 185, in _render
    'definition': factory.create_pipeline_definition(),
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/concourse/factory.py", line 88, in create_pipeline_definition
    self._apply_traits(variant)
  File "/usr/lib/python3.12/site-packages/concourse/factory.py", line 177, in _apply_traits
    transformer.process_pipeline_args(pipeline_def)
  File "/usr/lib/python3.12/site-packages/concourse/model/traits/release.py", line 505, in process_pipeline_args
    raise ValueError(f'{asset=}\'s step_name refers to an absent build-step')
ValueError: asset=BuildstepLogAsset(ocm_labels=[{'name': 'gardener.cloud/purposes', 'value': ['lint', 'sast', 'gosec']}, {'name': 'gardener.cloud/comment', 'value': 'We use gosec (linter) for SAST scans, see: https://github.com/securego/gosec.\nEnabled by https://github.com/gardener/oidc-webhook-authenticator/pull/165\n'}], type='build-step-log', name='verify-build-step-log', step_name='verify', artefact_type='application/data', artefact_extra_id={}, purposes=['lint', 'sast', 'gosec'], comment='We use gosec (linter) for SAST scans, see: https://github.com/securego/gosec.\nEnabled by https://github.com/gardener/oidc-webhook-authenticator/pull/165\n')'s step_name refers to an absent build-step

@gardener-robot gardener-robot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Oct 31, 2024
@gardener-robot-ci-2 gardener-robot-ci-2 added reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) needs/ok-to-test Needs approval for testing (check PR in detail before setting this label because PR is run on CI/CD) and removed reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) labels Oct 31, 2024
dimityrmirchev
dimityrmirchev previously approved these changes Nov 1, 2024
View reviewed changes
Copy link
Member

@dimityrmirchev dimityrmirchev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

/lgtm

@gardener-robot gardener-robot added reviewed/lgtm Has approval for merging and removed needs/review Needs review labels Nov 1, 2024
@gardener-robot-ci-3 gardener-robot-ci-3 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Nov 1, 2024
@dimityrmirchev
Copy link
Member

dimityrmirchev commented Nov 1, 2024

The check step fails, I guess we should exclude he gosec linter from golangci-lint

@gardener-robot-ci-3 gardener-robot-ci-3 removed the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Nov 1, 2024
@gardener-robot-ci-2
Copy link
Contributor

gardener-robot-ci-2 commented Nov 1, 2024

This PR proposes changes that would break the pipeline definition:

oidc-webhook-authenticator-enable-sast: Traceback (most recent call last):
  File "/usr/lib/python3.12/site-packages/concourse/replicator.py", line 141, in render
    definition_descriptor = self._render(definition_descriptor)
                            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/concourse/replicator.py", line 185, in _render
    'definition': factory.create_pipeline_definition(),
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/concourse/factory.py", line 88, in create_pipeline_definition
    self._apply_traits(variant)
  File "/usr/lib/python3.12/site-packages/concourse/factory.py", line 177, in _apply_traits
    transformer.process_pipeline_args(pipeline_def)
  File "/usr/lib/python3.12/site-packages/concourse/model/traits/release.py", line 505, in process_pipeline_args
    raise ValueError(f'{asset=}\'s step_name refers to an absent build-step')
ValueError: asset=BuildstepLogAsset(ocm_labels=[{'name': 'gardener.cloud/purposes', 'value': ['lint', 'sast', 'gosec']}, {'name': 'gardener.cloud/comment', 'value': 'We use gosec (linter) for SAST scans, see: https://github.com/securego/gosec.\nEnabled by https://github.com/gardener/oidc-webhook-authenticator/pull/165\n'}], type='build-step-log', name='verify-build-step-log', step_name='verify', artefact_type='application/data', artefact_extra_id={}, purposes=['lint', 'sast', 'gosec'], comment='We use gosec (linter) for SAST scans, see: https://github.com/securego/gosec.\nEnabled by https://github.com/gardener/oidc-webhook-authenticator/pull/165\n')'s step_name refers to an absent build-step

@gardener-robot gardener-robot added needs/review Needs review and removed needs/review Needs review labels Nov 1, 2024
@gardener-robot-ci-2 gardener-robot-ci-2 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Nov 1, 2024
@gardener-robot-ci-3 gardener-robot-ci-3 removed the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Nov 1, 2024
dimityrmirchev
dimityrmirchev approved these changes Nov 1, 2024
View reviewed changes
Copy link
Member

@dimityrmirchev dimityrmirchev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@dimityrmirchev dimityrmirchev merged commit 0d08bd4 into gardener:master Nov 1, 2024
1 check passed
@gardener-robot gardener-robot added the status/closed Issue is closed (either delivered or triaged) label Nov 1, 2024
@vpnachev vpnachev deleted the enable-sast branch November 1, 2024 11:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dimityrmirchev dimityrmirchev dimityrmirchev approved these changes

Assignees

No one assigned

Labels

ci/broken-pipeline-definition needs/ok-to-test Needs approval for testing (check PR in detail before setting this label because PR is run on CI/CD) reviewed/lgtm Has approval for merging size/S Denotes a PR that changes 10-29 lines, ignoring generated files. status/closed Issue is closed (either delivered or triaged)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Introduce gosec for Static Application Security Testing (SAST)

5 participants

@vpnachev @gardener-robot-ci-2 @dimityrmirchev @gardener-robot-ci-3 @gardener-robot