feat: add govulncheck

bc4a87d6 · Cédric OLIVIER · Pierre Smeyers · 77c5c8ba · bc4a87d6 · bc4a87d6
Commit bc4a87d6 authored 1 year ago by Cédric OLIVIER Committed by Pierre Smeyers 1 year ago
--- a/README.md
+++ b/README.md
@@ -164,3 +164,14 @@ It is bound to the `test` stage, and uses the following variables:
 | `GO_SBOM_DISABLED` | Set to `true` to disable this job | _none_ |
 | `GO_SBOM_IMAGE` | Image of cyclonedx-gomod used for SBOM analysis | `registry.hub.docker.com/cyclonedx/cyclonedx-gomod:latest` |
 | `GO_SBOM_OPTS` | [@cyclonedx/cyclonedx-gomod options](https://github.com/CycloneDX/cyclonedx-gomod#usage) used for SBOM analysis | `-main .` |
+
+### `go-govulncheck` job
+
+This job enables Vulnerability Management with [Govulncheck](https://go.dev/blog/vuln).
+
+It is bound to the `test` stage, and uses the following variables:
+
+| Name                  | description                            | default value     |
+| --------------------- | -------------------------------------- | ----------------- |
+| `GO_VULNCHECK_DISABLED` | Set to `true` to disable this job | _none_ 
+| `GO_VULNCHECK_ARGS`   | `govulncheck` [command line arguments](https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck#hdr-Flags) | `./...` |
\ No newline at end of file
--- a/kicker.json
+++ b/kicker.json
@@ -132,6 +132,20 @@
          "advanced": true
        }
      ]
+    },
+    {
+      "id": "govulncheck",
+      "name": "Govulncheck",
+      "description": "Vulnerability Management with [Govulncheck](https://go.dev/blog/vuln)",
+      "disable_with": "GO_VULNCHECK_DISABLED",
+      "variables": [
+        {
+          "name": "GO_VULNCHECK_ARGS",
+          "description": "`govulncheck` [command line arguments](https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck#hdr-Flags)",
+          "default": "./...",
+          "advanced": true
+        }
+      ]
    }
  ]
 }
--- a/templates/gitlab-ci-golang.yml
+++ b/templates/gitlab-ci-golang.yml
@@ -85,6 +85,9 @@ variables:
  # Default arguments for go-mod-outdated command
  GO_MOD_OUTDATED_ARGS: '-update -direct'

+  GO_VULNCHECK_ARGS: >-
+    ./...
+
  # Default golangci-lint Docker image (can be overridden)
  GO_CI_LINT_IMAGE: "registry.hub.docker.com/golangci/golangci-lint:latest-alpine"

@@ -222,6 +225,16 @@ stages:
    cd -
  }

+  function install_go_govulncheck() {
+    if ! command -v govulncheck  > /dev/null
+    then
+      cd "$(mktemp -d)"
+      go mod init govulncheck
+      go install golang.org/x/vuln/cmd/govulncheck@latest
+      cd -
+    fi
+  }
+
  function install_ca_certs() {
    certs=$1
    if [[ -z "$certs" ]]
@@ -498,3 +511,17 @@ go-sbom:
    - if: '$GO_SBOM_DISABLED == "true"'
      when: never
    - !reference [.test-policy, rules]
+
+go-govulncheck:
+  extends: .go-base
+  stage: test
+  dependencies: []
+  script:
+    - mkdir -p -m 777 reports  
+    - install_go_govulncheck
+    - $GOBIN/govulncheck ${GO_VULNCHECK_ARGS}
+  rules:
+    # exclude if GO_CI_LINT_DISABLED set
+    - if: '$GO_VULNCHECK_DISABLED == "true"'
+      when: never
+    - !reference [.test-policy, rules]
\ No newline at end of file