Skip to content

Commit

Permalink
Introduce static code analysis
Browse files Browse the repository at this point in the history
  • Loading branch information
Richard Kovacs committed Jan 3, 2024
1 parent 7a4b2e5 commit 5945030
Show file tree
Hide file tree
Showing 13 changed files with 538 additions and 104 deletions.
47 changes: 46 additions & 1 deletion .github/workflows/build_test_ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,16 @@ on:
pull_request:
branches: [ "main" ]

jobs:
permissions:
contents: read
pull-requests: read
actions: read

concurrency:
group: build-test-ci-${{ github.ref }}-1
cancel-in-progress: true

jobs:
go-build-test:
runs-on: ubuntu-latest
steps:
Expand All @@ -24,9 +32,46 @@ jobs:
- name: Test
run: make test

go-analyse:
needs: go-build-test
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4

- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: 'stable'

- name: Docker cache
uses: ScribeMD/[email protected]
with:
key: docker-${{ runner.os }}-${{ hashFiles('Makefile') }}}

- name: Lint
run: make lint

- name: Gosec
run: make gosec

- uses: nick-fields/retry@v2
with:
timeout_minutes: 5
max_attempts: 3
command: make nilcheck

- name: Vulncheck
run: make vulncheck

docker-build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4

- name: Cache Docker images.
uses: ScribeMD/[email protected]
with:
key: docker-${{ runner.os }}-${{ hashFiles('Dockerfile') }}

- name: Build the Docker image
run: make docker-build
65 changes: 65 additions & 0 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
name: "CodeQL"

on:
push:
branches: [ "main" ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ "main" ]

permissions:
contents: read

concurrency:
group: codeql-${{ github.ref }}-1
cancel-in-progress: true

jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write

strategy:
fail-fast: false

steps:
- name: Harden Runner
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
proxy.golang.org:443
sum.golang.org:443
objects.githubusercontent.com:443
- name: Checkout repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8
with:
# Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
languages: go
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.

# Details on CodeQL's query packs refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
# queries: security-extended,security-and-quality

# Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java).
- name: Autobuild
uses: github/codeql-action/autobuild@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8
with:
category: "/language:go"
262 changes: 262 additions & 0 deletions .golangci.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,262 @@
run:
timeout: 5m

skip-files:
- "zz_generated\\..+\\.go$"

issues-exit-code: 1

output:
# colored-line-number|line-number|json|tab|checkstyle|code-climate, default is "colored-line-number"
format: colored-line-number

linters-settings:
errcheck:
# report about not checking of errors in type assetions: `a := b.(MyStruct)`;
# default is false: such cases aren't reported by default.
check-type-assertions: true

# report about assignment of errors to blank identifier: `num, _ := strconv.Atoi(numStr)`;
# default is false: such cases aren't reported by default.
check-blank: true

# [deprecated] comma-separated list of pairs of the form pkg:regex
# the regex is used to ignore names within pkg. (default "fmt:.*").
# see https://github.com/kisielk/errcheck#the-deprecated-method for details
ignore: fmt:.*,io/ioutil:^Read.*

govet:
# report about shadowed variables
check-shadowing: false

golint:
# minimal confidence for issues, default is 0.8
min-confidence: 0.8

gofmt:
# simplify code: gofmt with `-s` option, true by default
simplify: true

goimports:
# put imports beginning with prefix after 3rd-party packages;
# it's a comma-separated list of prefixes
local-prefixes: github.com/crossplane/provider-template

gocyclo:
# minimal code complexity to report, 30 by default (but we recommend 10-20)
min-complexity: 15

cyclop:
max-complexity: 15

maligned:
# print struct with more effective memory layout or not, false by default
suggest-new: true

dupl:
# tokens count to trigger issue, 150 by default
threshold: 100

goconst:
# minimal length of string constant, 3 by default
min-len: 3
# minimal occurrences count to trigger, 3 by default
min-occurrences: 5

lll:
# tab width in spaces. Default to 1.
tab-width: 1

unused:
# treat code as a program (not a library) and report unused exported identifiers; default is false.
# XXX: if you enable this setting, unused will report a lot of false-positives in text editors:
# if it's called for subdir of a project it can't find funcs usages. All text editor integrations
# with golangci-lint call it on a directory with the changed file.
check-exported: false

unparam:
# Inspect exported functions, default is false. Set to true if no external program/library imports your code.
# XXX: if you enable this setting, unparam will report a lot of false-positives in text editors:
# if it's called for subdir of a project it can't find external interfaces. All text editor integrations
# with golangci-lint call it on a directory with the changed file.
check-exported: false

prealloc:
# XXX: we don't recommend using this linter before doing performance profiling.
# For most programs usage of prealloc will be a premature optimization.

# Report preallocation suggestions only on simple loops that have no returns/breaks/continues/gotos in them.
# True by default.
simple: true
range-loops: true # Report preallocation suggestions on range loops, true by default
for-loops: false # Report preallocation suggestions on for loops, false by default

gocritic:
# Enable multiple checks by tags, run `GL_DEBUG=gocritic golangci-lint` run to see all tags and checks.
# Empty list by default. See https://github.com/go-critic/go-critic#usage -> section "Tags".
enabled-tags:
- diagnostic
- experimental
- opinionated
- performance
- style

# disabled-checks:
# - unnamedResult
# - hugeParam

settings: # settings passed to gocritic
captLocal: # must be valid enabled check name
paramsOnly: true
rangeValCopy:
sizeThreshold: 32

nolintlint:
require-explanation: true
require-specific: true

linters:
enable:
- asasalint
- asciicheck
- bidichk
- bodyclose
- containedctx
- contextcheck
- cyclop
- decorder
# - depguard
- dogsled
- dupl
- dupword
- durationcheck
- errchkjson
- errname
- errorlint
- errcheck
- exportloopref
- exhaustive
- exportloopref
- forbidigo
- forcetypeassert
# - funlen
# - gci
- gocheckcompilerdirectives
- gocognit
- goconst
- gocritic
# - godot
# - godox
# - goerr113
- gofmt
- goimports
- gomnd
- gocyclo
- goprintffuncname
- gosec
- gosimple
- govet
- ineffassign
- loggercheck
- maintidx
- makezero
- misspell
- nestif
- nilerr
- nilnil
- nlreturn
- noctx
- nolintlint
- paralleltest
- prealloc
- predeclared
- reassign
# - revive
- staticcheck
# - stylecheck
- tenv
- thelper
- typecheck
- unconvert
- unparam
- unused
- usestdlibvars
- varnamelen
- whitespace
# - wrapcheck

presets:
- bugs
- unused
fast: false


issues:
# Excluding configuration per-path and per-linter
exclude-rules:
# Exclude some linters from running on tests files.
- path: _test(ing)?\.go
linters:
- gocyclo
- errcheck
- dupl
- gosec
- exportloopref
- unparam

# Ease some gocritic warnings on test files.
- path: _test\.go
text: "(unnamedResult|exitAfterDefer)"
linters:
- gocritic

# These are performance optimisations rather than style issues per se.
# They warn when function arguments or range values copy a lot of memory
# rather than using a pointer.
- text: "(hugeParam|rangeValCopy):"
linters:
- gocritic

# This "TestMain should call os.Exit to set exit code" warning is not clever
# enough to notice that we call a helper method that calls os.Exit.
- text: "SA3000:"
linters:
- staticcheck

- text: "k8s.io/api/core/v1"
linters:
- goimports

# This is a "potential hardcoded credentials" warning. It's triggered by
# any variable with 'secret' in the same, and thus hits a lot of false
# positives in Kubernetes land where a Secret is an object type.
- text: "G101:"
linters:
- gosec
- gas

# This is an 'errors unhandled' warning that duplicates errcheck.
- text: "G104:"
linters:
- gosec
- gas

# Independently from option `exclude` we use default exclude patterns,
# it can be disabled by this option. To list all
# excluded by default patterns execute `golangci-lint run --help`.
# Default value for this option is true.
exclude-use-default: false

# Show only new issues: if there are unstaged changes or untracked files,
# only those changes are analyzed, else only changes in HEAD~ are analyzed.
# It's a super-useful option for integration of golangci-lint into existing
# large codebase. It's not practical to fix all existing issues at the moment
# of integration: much better don't allow issues in new code.
# Default is false.
new: false

# Maximum issues count per one linter. Set to 0 to disable. Default is 50.
max-per-linter: 0

# Maximum count of issues with the same text. Set to 0 to disable. Default is 3.
max-same-issues: 0
2 changes: 1 addition & 1 deletion .husky/hooks/pre-push
Original file line number Diff line number Diff line change
Expand Up @@ -16,4 +16,4 @@ fi
make generate manifests
git diff --exit-code --quiet || (git status && exit 1)

make test
make lint gosec nilcheck test
Loading

0 comments on commit 5945030

Please sign in to comment.