bin/check_golang_security
#!/bin/bash
# This script creates a docker container with
# secretless mounted as a volume, and runs the
# gosec security check script within this container
set -eo pipefail
current_dir=$("$(dirname "$0")/abspath")
toplevel_dir="$current_dir/.."
# Default values to pass to security_scan
confidence='medium'
severity='high'
current_branch='main'
while getopts 'b:c:s:' flag; do
case "${flag}" in
b) current_branch="${OPTARG}" ;;
c) confidence="${OPTARG}" ;;
s) severity="${OPTARG}" ;;
esac
done
# Exclude test files
excluded_directories=${toplevel_dir}/test
# gosec => Scans go packages and flags security vulnerabilities
# Run as a container locally
if [[ ! -v BRANCH_NAME ]]; then
docker run --rm \
-v "$toplevel_dir/:/secretless/" \
secretless-dev \
bash -exc "
go install github.com/securego/gosec/v2/cmd/gosec@latest
git config --global --add safe.directory /secretless
./bin/run_gosec -c ${confidence} -s ${severity} -b ${current_branch} -e ${excluded_directories}
"
else
go install github.com/securego/gosec/v2/cmd/gosec@latest
git config --global --add safe.directory "${WORKSPACE}"
fi
./bin/run_gosec -c "${confidence}" -s "${severity}" -b "${current_branch}" -e "${excluded_directories}"