From 3494b0ffe4a28d152679188199eb0498a2465024 Mon Sep 17 00:00:00 2001 From: Charlie <31941002+CharlieMc0@users.noreply.github.com> Date: Tue, 12 Sep 2023 11:31:30 -0400 Subject: [PATCH] ci: nosec detection (#1102) * testing new code * try with origin * try fetch_depth * try fetch_depth * removing commits * moving nosec * adding dashes * trying different commit * added first commit * see if first_commit has a value * trying base ref to env * echo var * adding github context dump * adding reopened * trying env * changing ref for base branch * changing branch ref * testing with hardcoded sha * commented out extra lines * using changed-files * using changed files * force recheck * added quotes * see file list * try changing checkout version * add develop branch * testing last successful commit * hardcoding base sha * testing * reverting * rolled back go version on linter for this PR * Added nosec label * Fixed conditional label --------- Co-authored-by: Athos --- .github/workflows/sast-linters.yml | 86 +++++++++++++++++++++++++++--- 1 file changed, 78 insertions(+), 8 deletions(-) diff --git a/.github/workflows/sast-linters.yml b/.github/workflows/sast-linters.yml index 7f5bc04e13..8b86ea3c6c 100644 --- a/.github/workflows/sast-linters.yml +++ b/.github/workflows/sast-linters.yml @@ -25,9 +25,9 @@ jobs: fetch-depth: 0 - name: Set up Go - uses: actions/setup-go@v2 + uses: actions/setup-go@v3 with: - go-version: 1.19 + go-version: '1.20' # - name: Install Pipeline Dependencies # uses: ./.github/actions/install-dependencies @@ -59,24 +59,94 @@ jobs: lint: runs-on: ubuntu-latest - timeout-minutes: 10 + timeout-minutes: 15 env: GO111MODULE: on steps: - name: Checkout Source uses: actions/checkout@v2 - - # - name: Install Pipeline Dependencies - # uses: ./.github/actions/install-dependencies + with: + fetch-depth: 0 + + - name: Install Pipeline Dependencies + uses: ./.github/actions/install-dependencies - name: Set up Go uses: actions/setup-go@v3 with: - go-version: 1.19 + go-version: '1.19' - name: Run golangci-lint uses: golangci/golangci-lint-action@v3 with: version: v1.50 skip-cache: true - args: --timeout=30m + args: --timeout=15m + + nosec_alert: + runs-on: ubuntu-latest + timeout-minutes: 10 + env: + GO111MODULE: on + steps: + - name: Checkout Source + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Getting files updated in the PR + id: changed-files + uses: tj-actions/changed-files@v39 + with: + base_sha: ${{ github.event.pull_request.base.sha }} + + - name: List all changed files + run: | + for file in ${{ steps.changed-files.outputs.all_changed_files }}; do + echo "$file was changed" + done + + - name: Report nosec usage + run: | + nosec_list=() + nosec_detected=0 + echo "Changed files: ${{ steps.changed-files.outputs.all_changed_files }}" + + for file in ${{ steps.changed-files.outputs.all_changed_files }}; do + if git diff ${{ github.event.pull_request.base.sha }} $file | grep -q nosec; then + echo "nosec detected in $file" + nosec_list+=("$file,") + nosec_detected=1 + else + echo "nosec not detected in $file" + fi + done + + nosec_list_string="${nosec_list[@]}" + nosec_list_string="${nosec_list_string%,}" + echo "nosec_files=$nosec_list_string" >> $GITHUB_ENV + echo "nosec_detected=$nosec_detected" >> $GITHUB_ENV + + - name: Report nosec uses + uses: mshick/add-pr-comment@v2 + if: env.nosec_detected == 1 + with: + message: | + *!!!WARNING!!!* + `nosec` detected in the following files: ${{ env.nosec_files }} + + Be very careful about using `#nosec` in code. It can be a quick way to suppress security warnings and move forward with development, it should be employed with caution. Suppressing warnings with #nosec can hide potentially serious vulnerabilities. Only use #nosec when you're absolutely certain that the security issue is either a false positive or has been mitigated in another way. + + Pay extra attention to the way `#nosec` is being used in the files listed above. + + - name: Add Label + uses: actions/github-script@v6 + if: env.nosec_detected == 1 + with: + script: | + github.rest.issues.addLabels({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + labels: ["nosec"] + })