Skip to content

Commit

Permalink
ci: nosec detection (#1102)
Browse files Browse the repository at this point in the history
* testing new code

* try with origin

* try fetch_depth

* try fetch_depth

* removing commits

* moving nosec

* adding dashes

* trying different commit

* added first commit

* see if first_commit has a value

* trying base ref to env

* echo var

* adding github context dump

* adding reopened

* trying env

* changing ref for base branch

* changing branch ref

* testing with hardcoded sha

* commented out extra lines

* using changed-files

* using changed files

* force recheck

* added quotes

* see file list

* try changing checkout version

* add develop branch

* testing last successful commit

* hardcoding base sha

* testing

* reverting

* rolled back go version on linter for this PR

* Added nosec label

* Fixed conditional label

---------

Co-authored-by: Athos <[email protected]>
  • Loading branch information
CharlieMc0 and afzeta authored Sep 12, 2023
1 parent 037dc0b commit 3494b0f
Showing 1 changed file with 78 additions and 8 deletions.
86 changes: 78 additions & 8 deletions .github/workflows/sast-linters.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,9 +25,9 @@ jobs:
fetch-depth: 0

- name: Set up Go
uses: actions/setup-go@v2
uses: actions/setup-go@v3
with:
go-version: 1.19
go-version: '1.20'

# - name: Install Pipeline Dependencies
# uses: ./.github/actions/install-dependencies
Expand Down Expand Up @@ -59,24 +59,94 @@ jobs:

lint:
runs-on: ubuntu-latest
timeout-minutes: 10
timeout-minutes: 15
env:
GO111MODULE: on
steps:
- name: Checkout Source
uses: actions/checkout@v2

# - name: Install Pipeline Dependencies
# uses: ./.github/actions/install-dependencies
with:
fetch-depth: 0

- name: Install Pipeline Dependencies
uses: ./.github/actions/install-dependencies

- name: Set up Go
uses: actions/setup-go@v3
with:
go-version: 1.19
go-version: '1.19'

- name: Run golangci-lint
uses: golangci/golangci-lint-action@v3
with:
version: v1.50
skip-cache: true
args: --timeout=30m
args: --timeout=15m

nosec_alert:
runs-on: ubuntu-latest
timeout-minutes: 10
env:
GO111MODULE: on
steps:
- name: Checkout Source
uses: actions/checkout@v4
with:
fetch-depth: 0

- name: Getting files updated in the PR
id: changed-files
uses: tj-actions/changed-files@v39
with:
base_sha: ${{ github.event.pull_request.base.sha }}

- name: List all changed files
run: |
for file in ${{ steps.changed-files.outputs.all_changed_files }}; do
echo "$file was changed"
done
- name: Report nosec usage
run: |
nosec_list=()
nosec_detected=0
echo "Changed files: ${{ steps.changed-files.outputs.all_changed_files }}"
for file in ${{ steps.changed-files.outputs.all_changed_files }}; do
if git diff ${{ github.event.pull_request.base.sha }} $file | grep -q nosec; then
echo "nosec detected in $file"
nosec_list+=("$file,")
nosec_detected=1
else
echo "nosec not detected in $file"
fi
done
nosec_list_string="${nosec_list[@]}"
nosec_list_string="${nosec_list_string%,}"
echo "nosec_files=$nosec_list_string" >> $GITHUB_ENV
echo "nosec_detected=$nosec_detected" >> $GITHUB_ENV
- name: Report nosec uses
uses: mshick/add-pr-comment@v2
if: env.nosec_detected == 1
with:
message: |
*!!!WARNING!!!*
`nosec` detected in the following files: ${{ env.nosec_files }}
Be very careful about using `#nosec` in code. It can be a quick way to suppress security warnings and move forward with development, it should be employed with caution. Suppressing warnings with #nosec can hide potentially serious vulnerabilities. Only use #nosec when you're absolutely certain that the security issue is either a false positive or has been mitigated in another way.
Pay extra attention to the way `#nosec` is being used in the files listed above.
- name: Add Label
uses: actions/github-script@v6
if: env.nosec_detected == 1
with:
script: |
github.rest.issues.addLabels({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
labels: ["nosec"]
})

0 comments on commit 3494b0f

Please sign in to comment.