From cf1e58bdcddc7acdc2964d6fb696b384e063e836 Mon Sep 17 00:00:00 2001
From: Sushmitha Ravikumar <58063229+sushrk@users.noreply.github.com>
Date: Tue, 2 Apr 2024 21:33:49 -0700
Subject: [PATCH] add github action to run gosec static analysis (#398)

* add github action to run gosec static analysis

* install gosec
---
 .github/workflows/presubmit.yaml   | 16 ++++++++++++++++
 pkg/k8s/pod/converter.go           |  1 +
 pkg/provider/branch/trunk/trunk.go |  1 +
 pkg/utils/events.go                |  1 +
 4 files changed, 19 insertions(+)

diff --git a/.github/workflows/presubmit.yaml b/.github/workflows/presubmit.yaml
index db46def2..0557b973 100644
--- a/.github/workflows/presubmit.yaml
+++ b/.github/workflows/presubmit.yaml
@@ -53,3 +53,19 @@ jobs:
         run: go install golang.org/x/vuln/cmd/govulncheck@latest
       - name: Run `govulncheck`
         run: ~/go/bin/govulncheck ./...
+  static-security-analysis:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Setup Go Version
+        run: echo "GO_VERSION=$(cat .go-version)" >> $GITHUB_ENV
+      - uses: actions/setup-go@v4
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache-dependency-path: "**/go.sum"
+      - name: Install `gosec`
+        run: go install github.com/securego/gosec/v2/cmd/gosec@latest
+      - name: Run Gosec Security Scanner
+        run: ~/go/bin/gosec -exclude-dir test -exclude-generated -severity medium -exclude=G108,G114 ./...
+
diff --git a/pkg/k8s/pod/converter.go b/pkg/k8s/pod/converter.go
index 58c7dcad..0ec10c92 100644
--- a/pkg/k8s/pod/converter.go
+++ b/pkg/k8s/pod/converter.go
@@ -56,6 +56,7 @@ func (c *PodConverter) ConvertList(originalList interface{}) (convertedList inte
 		},
 	}
 	for _, pod := range podList.Items {
+		pod := pod // Fix gosec G601, so we can use &node
 		strippedPod := c.StripDownPod(&pod)
 		strippedPodList.Items = append(strippedPodList.Items, *strippedPod)
 	}
diff --git a/pkg/provider/branch/trunk/trunk.go b/pkg/provider/branch/trunk/trunk.go
index ce4f2e27..1a5e1dd3 100644
--- a/pkg/provider/branch/trunk/trunk.go
+++ b/pkg/provider/branch/trunk/trunk.go
@@ -245,6 +245,7 @@ func (t *trunkENI) InitTrunk(instance ec2.EC2Instance, podList []v1.Pod) error {
 
 	// From the list of pods on the given node, and the branch ENIs from EC2 API call rebuild the internal cache
 	for _, pod := range podList {
+		pod := pod // Fix gosec G601, so we can use &node
 		eniListFromPod := t.getBranchInterfacesUsedByPod(&pod)
 		if len(eniListFromPod) == 0 {
 			continue
diff --git a/pkg/utils/events.go b/pkg/utils/events.go
index 54efd250..6afef7ad 100644
--- a/pkg/utils/events.go
+++ b/pkg/utils/events.go
@@ -48,6 +48,7 @@ func SendNodeEventWithNodeObject(client k8s.K8sWrapper, node *v1.Node, reason, m
 func SendBroadcastNodeEvent(client k8s.K8sWrapper, reason, msg, eventType string, logger logr.Logger) {
 	if nodeList, err := client.ListNodes(); err == nil {
 		for _, node := range nodeList.Items {
+			node := node // Fix gosec G601, so we can use &node
 			client.BroadcastEvent(&node, reason, msg, eventType)
 		}
 	} else {