Skip to content

Commit

Permalink
Introduce static code analysis
Browse files Browse the repository at this point in the history
  • Loading branch information
Richard Kovacs committed Jan 3, 2024
1 parent 7a4b2e5 commit 99cb8e2
Show file tree
Hide file tree
Showing 12 changed files with 472 additions and 104 deletions.
46 changes: 45 additions & 1 deletion .github/workflows/build_test_ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,18 @@ on:
pull_request:
branches: [ "main" ]

jobs:
permissions:
contents: read
pull-requests: read
actions: read
security-events: write
packages: write

concurrency:
group: build-test-ci-${{ github.ref }}-1
cancel-in-progress: true

jobs:
go-build-test:
runs-on: ubuntu-latest
steps:
Expand All @@ -24,9 +34,43 @@ jobs:
- name: Test
run: make test

go-analyse:
needs: go-build-test
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4

- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: 'stable'

- name: Docker cache
uses: ScribeMD/[email protected]
with:
key: docker-${{ runner.os }}-${{ hashFiles('Makefile') }}}

- name: Lint
run: make lint

- name: Gosec
run: make gosec

- name: Nilcheck
run: make nilcheck

- name: Vulncheck
run: make vulncheck

docker-build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4

- name: Cache Docker images.
uses: ScribeMD/[email protected]
with:
key: docker-${{ runner.os }}-${{ hashFiles('Dockerfile') }}

- name: Build the Docker image
run: make docker-build
262 changes: 262 additions & 0 deletions .golangci.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,262 @@
run:
timeout: 5m

skip-files:
- "zz_generated\\..+\\.go$"

issues-exit-code: 1

output:
# colored-line-number|line-number|json|tab|checkstyle|code-climate, default is "colored-line-number"
format: colored-line-number

linters-settings:
errcheck:
# report about not checking of errors in type assetions: `a := b.(MyStruct)`;
# default is false: such cases aren't reported by default.
check-type-assertions: true

# report about assignment of errors to blank identifier: `num, _ := strconv.Atoi(numStr)`;
# default is false: such cases aren't reported by default.
check-blank: true

# [deprecated] comma-separated list of pairs of the form pkg:regex
# the regex is used to ignore names within pkg. (default "fmt:.*").
# see https://github.com/kisielk/errcheck#the-deprecated-method for details
ignore: fmt:.*,io/ioutil:^Read.*

govet:
# report about shadowed variables
check-shadowing: false

golint:
# minimal confidence for issues, default is 0.8
min-confidence: 0.8

gofmt:
# simplify code: gofmt with `-s` option, true by default
simplify: true

goimports:
# put imports beginning with prefix after 3rd-party packages;
# it's a comma-separated list of prefixes
local-prefixes: github.com/crossplane/provider-template

gocyclo:
# minimal code complexity to report, 30 by default (but we recommend 10-20)
min-complexity: 15

cyclop:
max-complexity: 15

maligned:
# print struct with more effective memory layout or not, false by default
suggest-new: true

dupl:
# tokens count to trigger issue, 150 by default
threshold: 100

goconst:
# minimal length of string constant, 3 by default
min-len: 3
# minimal occurrences count to trigger, 3 by default
min-occurrences: 5

lll:
# tab width in spaces. Default to 1.
tab-width: 1

unused:
# treat code as a program (not a library) and report unused exported identifiers; default is false.
# XXX: if you enable this setting, unused will report a lot of false-positives in text editors:
# if it's called for subdir of a project it can't find funcs usages. All text editor integrations
# with golangci-lint call it on a directory with the changed file.
check-exported: false

unparam:
# Inspect exported functions, default is false. Set to true if no external program/library imports your code.
# XXX: if you enable this setting, unparam will report a lot of false-positives in text editors:
# if it's called for subdir of a project it can't find external interfaces. All text editor integrations
# with golangci-lint call it on a directory with the changed file.
check-exported: false

prealloc:
# XXX: we don't recommend using this linter before doing performance profiling.
# For most programs usage of prealloc will be a premature optimization.

# Report preallocation suggestions only on simple loops that have no returns/breaks/continues/gotos in them.
# True by default.
simple: true
range-loops: true # Report preallocation suggestions on range loops, true by default
for-loops: false # Report preallocation suggestions on for loops, false by default

gocritic:
# Enable multiple checks by tags, run `GL_DEBUG=gocritic golangci-lint` run to see all tags and checks.
# Empty list by default. See https://github.com/go-critic/go-critic#usage -> section "Tags".
enabled-tags:
- diagnostic
- experimental
- opinionated
- performance
- style

# disabled-checks:
# - unnamedResult
# - hugeParam

settings: # settings passed to gocritic
captLocal: # must be valid enabled check name
paramsOnly: true
rangeValCopy:
sizeThreshold: 32

nolintlint:
require-explanation: true
require-specific: true

linters:
enable:
- asasalint
- asciicheck
- bidichk
- bodyclose
- containedctx
- contextcheck
- cyclop
- decorder
# - depguard
- dogsled
- dupl
- dupword
- durationcheck
- errchkjson
- errname
- errorlint
- errcheck
- exportloopref
- exhaustive
- exportloopref
- forbidigo
- forcetypeassert
# - funlen
# - gci
- gocheckcompilerdirectives
- gocognit
- goconst
- gocritic
# - godot
# - godox
# - goerr113
- gofmt
- goimports
- gomnd
- gocyclo
- goprintffuncname
- gosec
- gosimple
- govet
- ineffassign
- loggercheck
- maintidx
- makezero
- misspell
- nestif
- nilerr
- nilnil
- nlreturn
- noctx
- nolintlint
- paralleltest
- prealloc
- predeclared
- reassign
# - revive
- staticcheck
# - stylecheck
- tenv
- thelper
- typecheck
- unconvert
- unparam
- unused
- usestdlibvars
- varnamelen
- whitespace
# - wrapcheck

presets:
- bugs
- unused
fast: false


issues:
# Excluding configuration per-path and per-linter
exclude-rules:
# Exclude some linters from running on tests files.
- path: _test(ing)?\.go
linters:
- gocyclo
- errcheck
- dupl
- gosec
- exportloopref
- unparam

# Ease some gocritic warnings on test files.
- path: _test\.go
text: "(unnamedResult|exitAfterDefer)"
linters:
- gocritic

# These are performance optimisations rather than style issues per se.
# They warn when function arguments or range values copy a lot of memory
# rather than using a pointer.
- text: "(hugeParam|rangeValCopy):"
linters:
- gocritic

# This "TestMain should call os.Exit to set exit code" warning is not clever
# enough to notice that we call a helper method that calls os.Exit.
- text: "SA3000:"
linters:
- staticcheck

- text: "k8s.io/api/core/v1"
linters:
- goimports

# This is a "potential hardcoded credentials" warning. It's triggered by
# any variable with 'secret' in the same, and thus hits a lot of false
# positives in Kubernetes land where a Secret is an object type.
- text: "G101:"
linters:
- gosec
- gas

# This is an 'errors unhandled' warning that duplicates errcheck.
- text: "G104:"
linters:
- gosec
- gas

# Independently from option `exclude` we use default exclude patterns,
# it can be disabled by this option. To list all
# excluded by default patterns execute `golangci-lint run --help`.
# Default value for this option is true.
exclude-use-default: false

# Show only new issues: if there are unstaged changes or untracked files,
# only those changes are analyzed, else only changes in HEAD~ are analyzed.
# It's a super-useful option for integration of golangci-lint into existing
# large codebase. It's not practical to fix all existing issues at the moment
# of integration: much better don't allow issues in new code.
# Default is false.
new: false

# Maximum issues count per one linter. Set to 0 to disable. Default is 50.
max-per-linter: 0

# Maximum count of issues with the same text. Set to 0 to disable. Default is 3.
max-same-issues: 0
2 changes: 1 addition & 1 deletion .husky/hooks/pre-push
Original file line number Diff line number Diff line change
Expand Up @@ -16,4 +16,4 @@ fi
make generate manifests
git diff --exit-code --quiet || (git status && exit 1)

make test
make lint gosec nilcheck test
32 changes: 31 additions & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -62,9 +62,25 @@ fmt: ## Run go fmt against code.
vet: ## Run go vet against code.
go vet ./...

.PHONY: gosec
gosec: ## Run gosec against code.
docker run --rm -w /workdir -v $(PWD):/workdir securego/gosec:2.18.2 -exclude-dir=bin -exclude-generated ./...

.PHONY: lint
lint: ## Run lint against code.
docker run --rm -w /workdir -v $(PWD):/workdir golangci/golangci-lint:v1.55 golangci-lint run -c .golangci.yml

.PHONY: nilcheck
nilcheck: nilaway ## Run nil check against code.
nilaway ./...

.PHONY: vulncheck
vulncheck: govulncheck ## Run vulnerability check against code.
govulncheck ./...

.PHONY: test
test: manifests generate fmt vet envtest ## Run tests.
KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(LOCALBIN) -p path)" go test ./... -coverprofile cover.out
KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(LOCALBIN) -p path)" go test -race -timeout 60s ./... -coverprofile cover.out

##@ Build

Expand Down Expand Up @@ -151,6 +167,8 @@ TILT ?= $(LOCALBIN)/tilt
KIND ?= $(LOCALBIN)/kind
ENVTEST ?= $(LOCALBIN)/setup-envtest
HUSKY ?= $(LOCALBIN)/husky
NILAWAY ?= $(LOCALBIN)/nilaway
GOVULNC ?= $(LOCALBIN)/govulncheck

## Tool Versions
KUSTOMIZE_VERSION ?= v5.1.1
Expand All @@ -160,6 +178,8 @@ CONTROLLER_TOOLS_VERSION ?= v0.13.0
TILT_VERSION ?= 0.33.6
KIND_VERSION ?= 0.20.0
HUSKY_VERSION ?= v0.2.16
NILAWAY_VERSION ?= latest
GOVULNC_VERSION ?= latest

.PHONY: kustomize
kustomize: $(KUSTOMIZE) ## Download kustomize locally if necessary. If wrong version is installed, it will be removed before downloading.
Expand Down Expand Up @@ -217,6 +237,16 @@ husky: $(HUSKY) ## Download husky locally if necessary.
$(HUSKY): $(LOCALBIN)
GOBIN=$(LOCALBIN) go install github.com/automation-co/husky@$(HUSKY_VERSION)

.PHONY: nilaway
nilaway: $(NILAWAY) ## Download nilaway locally if necessary.
$(NILAWAY): $(LOCALBIN)
GOBIN=$(LOCALBIN) go install go.uber.org/nilaway/cmd/nilaway@$(NILAWAY_VERSION)

.PHONY: govulncheck
govulncheck: $(GOVULNC) ## Download govulncheck locally if necessary.
$(GOVULNC): $(LOCALBIN)
GOBIN=$(LOCALBIN) go install golang.org/x/vuln/cmd/govulncheck@$(GOVULNC_VERSION)

.PHONY: clean
clean:
rm -rf $(LOCALBIN)
Loading

0 comments on commit 99cb8e2

Please sign in to comment.