add github action to run gosec static analysis (#398)

* add github action to run gosec static analysis * install gosec
aws · Apr 3, 2024 · cf1e58b · cf1e58b
1 parent 8b9cdb9
commit cf1e58b
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 0 deletions.
diff --git a/.github/workflows/presubmit.yaml b/.github/workflows/presubmit.yaml
@@ -53,3 +53,19 @@ jobs:
         run: go install golang.org/x/vuln/cmd/govulncheck@latest
       - name: Run `govulncheck`
         run: ~/go/bin/govulncheck ./...
+  static-security-analysis:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Setup Go Version
+        run: echo "GO_VERSION=$(cat .go-version)" >> $GITHUB_ENV
+      - uses: actions/setup-go@v4
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache-dependency-path: "**/go.sum"
+      - name: Install `gosec`
+        run: go install github.com/securego/gosec/v2/cmd/gosec@latest
+      - name: Run Gosec Security Scanner
+        run: ~/go/bin/gosec -exclude-dir test -exclude-generated -severity medium -exclude=G108,G114 ./...
+
diff --git a/pkg/k8s/pod/converter.go b/pkg/k8s/pod/converter.go
@@ -56,6 +56,7 @@ func (c *PodConverter) ConvertList(originalList interface{}) (convertedList inte
 		},
 	}
 	for _, pod := range podList.Items {
+		pod := pod // Fix gosec G601, so we can use &node
 		strippedPod := c.StripDownPod(&pod)
 		strippedPodList.Items = append(strippedPodList.Items, *strippedPod)
 	}

diff --git a/pkg/provider/branch/trunk/trunk.go b/pkg/provider/branch/trunk/trunk.go
@@ -245,6 +245,7 @@ func (t *trunkENI) InitTrunk(instance ec2.EC2Instance, podList []v1.Pod) error {
 
 	// From the list of pods on the given node, and the branch ENIs from EC2 API call rebuild the internal cache
 	for _, pod := range podList {
+		pod := pod // Fix gosec G601, so we can use &node
 		eniListFromPod := t.getBranchInterfacesUsedByPod(&pod)
 		if len(eniListFromPod) == 0 {
 			continue

diff --git a/pkg/utils/events.go b/pkg/utils/events.go
@@ -48,6 +48,7 @@ func SendNodeEventWithNodeObject(client k8s.K8sWrapper, node *v1.Node, reason, m
 func SendBroadcastNodeEvent(client k8s.K8sWrapper, reason, msg, eventType string, logger logr.Logger) {
 	if nodeList, err := client.ListNodes(); err == nil {
 		for _, node := range nodeList.Items {
+			node := node // Fix gosec G601, so we can use &node
 			client.BroadcastEvent(&node, reason, msg, eventType)
 		}
 	} else {