Add security audits to CI #7
Conversation
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
There was a problem hiding this comment.
Pull Request Overview
Introduces automated security audits in the Go CI pipeline using gosec.
- Adds a
.gosec.jsonconfiguration file to enable and customize security rules. - Installs and runs gosec in the existing Go workflow, outputs SARIF/JSON/text results, and uploads artifacts.
- Updates downstream reporting and release jobs to include security scan results.
Reviewed Changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| .gosec.json | New gosec config enabling specific rules and outputs |
| .github/workflows/go.yml | CI workflow enhanced with caching, gosec scan steps, artifact uploads, and report updates |
Comments suppressed due to low confidence (1)
.github/workflows/go.yml:415
- The
test-reportsjob declares a dependency on asecurityjob which isn't defined elsewhere in this workflow, causing the pipeline to fail. Either define asecurityjob or remove it fromneeds.
needs: [unit-tests, n-node-tests, benchmark-tests, security]
| "confidence": "low", | ||
| "severity": "low", | ||
| "quiet": false, | ||
| "verbose": "text", |
There was a problem hiding this comment.
The verbose key is not recognized in gosec's configuration schema. Consider removing it or using the --verbose CLI flag instead.
| "verbose": "text", |
| # Run gosec with configuration file and multiple output formats | ||
| gosec -conf .gosec.json -fmt sarif -out gosec-results.sarif ./... | ||
| gosec -conf .gosec.json -fmt json -out gosec-results.json ./... | ||
| gosec -conf .gosec.json -fmt text -out gosec-results.txt ./... | ||
| # Display results in CI log | ||
| echo "=== GOSEC SECURITY SCAN RESULTS ===" | ||
| gosec -conf .gosec.json ./... | ||
| # Check if any HIGH or MEDIUM severity issues found | ||
| if gosec -conf .gosec.json -fmt json ./... | jq -r '.Issues[]? | select(.severity == "HIGH" or .severity == "MEDIUM") | .severity' | grep -q "HIGH\|MEDIUM"; then |
There was a problem hiding this comment.
[nitpick] The workflow runs gosec multiple times (SARIF, JSON, text, and log). This repeats analysis and increases CI runtime; consider running it once and converting or splitting outputs from a single report.
| # Run gosec with configuration file and multiple output formats | |
| gosec -conf .gosec.json -fmt sarif -out gosec-results.sarif ./... | |
| gosec -conf .gosec.json -fmt json -out gosec-results.json ./... | |
| gosec -conf .gosec.json -fmt text -out gosec-results.txt ./... | |
| # Display results in CI log | |
| echo "=== GOSEC SECURITY SCAN RESULTS ===" | |
| gosec -conf .gosec.json ./... | |
| # Check if any HIGH or MEDIUM severity issues found | |
| if gosec -conf .gosec.json -fmt json ./... | jq -r '.Issues[]? | select(.severity == "HIGH" or .severity == "MEDIUM") | .severity' | grep -q "HIGH\|MEDIUM"; then | |
| # Run gosec once and output results in JSON format | |
| gosec -conf .gosec.json -fmt json -out gosec-results.json ./... | |
| # Convert JSON output to SARIF format | |
| jq '{"version": "2.1.0", "runs": [.]} | .runs[0].results = (.runs[0].results // [])' gosec-results.json > gosec-results.sarif | |
| # Convert JSON output to text format | |
| jq -r '.Issues[] | "\(.severity): \(.details) [\(.file):\(.line)]"' gosec-results.json > gosec-results.txt | |
| # Display results in CI log | |
| echo "=== GOSEC SECURITY SCAN RESULTS ===" | |
| cat gosec-results.txt | |
| # Check if any HIGH or MEDIUM severity issues found | |
| if jq -r '.Issues[]? | select(.severity == "HIGH" or .severity == "MEDIUM") | .severity' gosec-results.json | grep -q "HIGH\|MEDIUM"; then |
Codecov ReportAll modified and coverable lines are covered by tests ✅
❌ Your project status has failed because the head coverage (19.01%) is below the target coverage (80.00%). You can increase the head coverage or adjust the target coverage. Additional details and impacted files@@ Coverage Diff @@
## main #7 +/- ##
==========================================
- Coverage 22.09% 19.01% -3.08%
==========================================
Files 8 9 +1
Lines 842 978 +136
==========================================
Hits 186 186
- Misses 653 789 +136
Partials 3 3
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
Add security audits to CI