From 457a95dde46c24cfd3eae870c67b3dceb0047ac3 Mon Sep 17 00:00:00 2001
From: Aleksandar Stojanov <me@fnd.works>
Date: Mon, 11 Nov 2024 10:06:07 +0100
Subject: [PATCH 1/3] feature: scan code with bearer and gosec

Signed-off-by: Aleksandar Stojanov <me@fnd.works>
---
 .github/workflows/ci.yaml | 9 +++++++++
 pkg/generator.go          | 5 +++--
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 3fe1e65..1e321bf 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -33,6 +33,15 @@ jobs:
           skip-cache: true
       - name: Check code
         run: make check
+      - name: Run Gosec Security Scanner
+        uses: securego/gosec@master
+        with:
+          args: ./...
+      - name: Run Bearer scan
+        uses: bearer/bearer-action@v2
+        with:
+          scanner: secrets,sast
+          diff: true
       - name: Run tests
         run: make test-all
       - name: Install plugin
diff --git a/pkg/generator.go b/pkg/generator.go
index 90f562b..d1f469c 100644
--- a/pkg/generator.go
+++ b/pkg/generator.go
@@ -5,6 +5,7 @@ import (
 	"errors"
 	"fmt"
 	"os"
+	"path/filepath"
 	"strings"
 
 	"gopkg.in/yaml.v3"
@@ -37,7 +38,7 @@ func GenerateJsonSchema(config *Config) error {
 
 	// Iterate over the input YAML files
 	for _, filePath := range config.Input {
-		content, err := os.ReadFile(filePath)
+		content, err := os.ReadFile(filepath.Clean(filePath))
 		if err != nil {
 			return errors.New("error reading YAML file(s)")
 		}
@@ -110,7 +111,7 @@ func GenerateJsonSchema(config *Config) error {
 
 	// Write the JSON schema to the output file
 	outputPath := config.OutputPath
-	if err := os.WriteFile(outputPath, jsonBytes, 0644); err != nil {
+	if err := os.WriteFile(outputPath, jsonBytes, 0600); err != nil {
 		return errors.New("error writing schema to file")
 	}
 

From 8a3f86b9ddd0a24de216b014eb4eb623dafa68ae Mon Sep 17 00:00:00 2001
From: Aleksandar Stojanov <me@fnd.works>
Date: Mon, 11 Nov 2024 10:24:14 +0100
Subject: [PATCH 2/3] renam test and generate testdata schemas

Signed-off-by: Aleksandar Stojanov <me@fnd.works>
---
 pkg/generator_test.go        | 2 +-
 testdata/anchors.schema.json | 5 +++++
 testdata/basic.schema.json   | 5 +++++
 testdata/meta.schema.json    | 5 +++++
 4 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/pkg/generator_test.go b/pkg/generator_test.go
index 11fff24..c1fce06 100644
--- a/pkg/generator_test.go
+++ b/pkg/generator_test.go
@@ -37,7 +37,7 @@ func TestGenerateJsonSchema(t *testing.T) {
 			templateSchemaFile: "../testdata/full.schema.json",
 		},
 		{
-			name: "full json schema",
+			name: "noAdditionalProperties",
 			config: &Config{
 				Draft:                  2020,
 				Indent:                 4,
diff --git a/testdata/anchors.schema.json b/testdata/anchors.schema.json
index 3282a74..b8a975c 100644
--- a/testdata/anchors.schema.json
+++ b/testdata/anchors.schema.json
@@ -1,5 +1,9 @@
 {
+    "$id": "https://example.com/schema",
+    "$ref": "schema/product.json",
     "$schema": "https://json-schema.org/draft/2020-12/schema",
+    "additionalProperties": true,
+    "description": "Schema for Helm values",
     "properties": {
         "app": {
             "properties": {
@@ -20,5 +24,6 @@
             "type": "object"
         }
     },
+    "title": "Helm Values Schema",
     "type": "object"
 }
diff --git a/testdata/basic.schema.json b/testdata/basic.schema.json
index d09075d..a743800 100644
--- a/testdata/basic.schema.json
+++ b/testdata/basic.schema.json
@@ -1,5 +1,9 @@
 {
+    "$id": "https://example.com/schema",
+    "$ref": "schema/product.json",
     "$schema": "https://json-schema.org/draft/2020-12/schema",
+    "additionalProperties": true,
+    "description": "Schema for Helm values",
     "properties": {
         "empty": {
             "type": "null"
@@ -57,5 +61,6 @@
             "type": "array"
         }
     },
+    "title": "Helm Values Schema",
     "type": "object"
 }
diff --git a/testdata/meta.schema.json b/testdata/meta.schema.json
index f392785..4183d7b 100644
--- a/testdata/meta.schema.json
+++ b/testdata/meta.schema.json
@@ -1,5 +1,9 @@
 {
+    "$id": "https://example.com/schema",
+    "$ref": "schema/product.json",
     "$schema": "https://json-schema.org/draft/2020-12/schema",
+    "additionalProperties": true,
+    "description": "Schema for Helm values",
     "properties": {
         "fullnameOverride": {
             "title": "Full name override",
@@ -50,5 +54,6 @@
             "type": "array"
         }
     },
+    "title": "Helm Values Schema",
     "type": "object"
 }

From 82462e6ca6e6e375e34480ebeb33a24c2ca0fe5c Mon Sep 17 00:00:00 2001
From: Aleksandar Stojanov <me@fnd.works>
Date: Mon, 11 Nov 2024 10:37:41 +0100
Subject: [PATCH 3/3] pin gosec to version

Signed-off-by: Aleksandar Stojanov <me@fnd.works>
---
 .github/workflows/ci.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 1e321bf..91492f4 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -34,10 +34,10 @@ jobs:
       - name: Check code
         run: make check
       - name: Run Gosec Security Scanner
-        uses: securego/gosec@master
+        uses: securego/gosec@v2.21.4
         with:
           args: ./...
-      - name: Run Bearer scan
+      - name: Bearer
         uses: bearer/bearer-action@v2
         with:
           scanner: secrets,sast