Skip to content
Snippets Groups Projects
Commit bc4a87d6 authored by Cédric OLIVIER's avatar Cédric OLIVIER Committed by Pierre Smeyers
Browse files

feat: add govulncheck

parent 77c5c8ba
No related branches found
No related tags found
No related merge requests found
......@@ -164,3 +164,14 @@ It is bound to the `test` stage, and uses the following variables:
| `GO_SBOM_DISABLED` | Set to `true` to disable this job | _none_ |
| `GO_SBOM_IMAGE` | Image of cyclonedx-gomod used for SBOM analysis | `registry.hub.docker.com/cyclonedx/cyclonedx-gomod:latest` |
| `GO_SBOM_OPTS` | [@cyclonedx/cyclonedx-gomod options](https://github.com/CycloneDX/cyclonedx-gomod#usage) used for SBOM analysis | `-main .` |
### `go-govulncheck` job
This job enables Vulnerability Management with [Govulncheck](https://go.dev/blog/vuln).
It is bound to the `test` stage, and uses the following variables:
| Name | description | default value |
| --------------------- | -------------------------------------- | ----------------- |
| `GO_VULNCHECK_DISABLED` | Set to `true` to disable this job | _none_
| `GO_VULNCHECK_ARGS` | `govulncheck` [command line arguments](https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck#hdr-Flags) | `./...` |
\ No newline at end of file
......@@ -132,6 +132,20 @@
"advanced": true
}
]
},
{
"id": "govulncheck",
"name": "Govulncheck",
"description": "Vulnerability Management with [Govulncheck](https://go.dev/blog/vuln)",
"disable_with": "GO_VULNCHECK_DISABLED",
"variables": [
{
"name": "GO_VULNCHECK_ARGS",
"description": "`govulncheck` [command line arguments](https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck#hdr-Flags)",
"default": "./...",
"advanced": true
}
]
}
]
}
......@@ -85,6 +85,9 @@ variables:
# Default arguments for go-mod-outdated command
GO_MOD_OUTDATED_ARGS: '-update -direct'
GO_VULNCHECK_ARGS: >-
./...
# Default golangci-lint Docker image (can be overridden)
GO_CI_LINT_IMAGE: "registry.hub.docker.com/golangci/golangci-lint:latest-alpine"
......@@ -222,6 +225,16 @@ stages:
cd -
}
function install_go_govulncheck() {
if ! command -v govulncheck > /dev/null
then
cd "$(mktemp -d)"
go mod init govulncheck
go install golang.org/x/vuln/cmd/govulncheck@latest
cd -
fi
}
function install_ca_certs() {
certs=$1
if [[ -z "$certs" ]]
......@@ -498,3 +511,17 @@ go-sbom:
- if: '$GO_SBOM_DISABLED == "true"'
when: never
- !reference [.test-policy, rules]
go-govulncheck:
extends: .go-base
stage: test
dependencies: []
script:
- mkdir -p -m 777 reports
- install_go_govulncheck
- $GOBIN/govulncheck ${GO_VULNCHECK_ARGS}
rules:
# exclude if GO_CI_LINT_DISABLED set
- if: '$GO_VULNCHECK_DISABLED == "true"'
when: never
- !reference [.test-policy, rules]
\ No newline at end of file
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment