huskyCI icon indicating copy to clipboard operation
huskyCI copied to clipboard
verified publisher icon globocom

Add Govulncheck as a new securityTest

Open fguisso opened this issue 3 years ago • 2 comments

image

Motivation

Golang Security team has developed a new tool to detect vulnerable packages in Golang code and it will be a great addition to huskyCI analysis.

It would be great if

We have all the necessary code to run this scan!

What we expect

  • A working container of Govulncheck that outputs a JSON after running the analysis in a particular folder. Similar to this to be uploaded to Docker Hub as huskyci/govulncheck:latest.
  • Add into config.yaml commands needed to run inside the securityTest container.
  • Adjust context.go to have the new Govulncheck securityTest configs.
  • Add new error messages related to Govulncheck in messagecodes.go.
  • Add a new file into securitytest package and adjust its logic to now handle Govulncheck output.
  • Add new code into client analysis package to print to STDOUT Govulncheck results.

Tips

  • Search how a particular securityTest work and apply the same logic (Ctrl + F + "bandit" will do 🙃).

fguisso avatar Oct 03 '22 15:10 fguisso

config.yaml file doesn't seem to be available

vitorduarte avatar Oct 04 '22 23:10 vitorduarte

We are testing a more complete solution for SCA, probably we will drop this issue beside the implement anti on of osvscanner + cdxgen

fguisso avatar Oct 17 '23 03:10 fguisso