gosec enablement

Signed-off-by: Kim Tsao <[email protected]>

Author: kim-tsao

.github/workflows/ci.yaml

@@ -63,6 +63,22 @@ jobs:
       - name: Upload coverage to Codecov
         uses: codecov/[email protected]
 
+    - name: Run Gosec Security Scanner
+      run: |
+        go install github.com/securego/gosec/v2/cmd/gosec@latest
+        ./run_gosec.sh
+        if [[ $? != 0 ]]
+        then
+          echo "gosec scanner failed to run "
+          exit 1
+        fi   
+
+    - name: Upload SARIF file
+      uses: github/codeql-action/upload-sarif@v2
+      with:
+        # Path to SARIF file relative to the root of the repository
+        sarif_file: gosec.sarif
+
   test_minikube:
     name: Test Devfile Registry
     runs-on: ubuntu-latest

run_gosec.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+# This script runs the gosec scanner locally
+
+if ! command -v gosec 2> /dev/null
+then
+  echo "error gosec must be installed with this command: go install github.com/securego/gosec/v2/cmd/gosec@latest" && exit 1
+fi
+
+gosec -no-fail -fmt=sarif -out=gosec.sarif -exclude-dir tests ./...