gosec commit

.github/FUNDING.yml

@@ -0,0 +1,3 @@
+# These are supported funding model platforms
+
+github: [ccojocar, gcmurphy]

.github/issue_template.md

@@ -0,0 +1,13 @@
+### Summary 
+
+### Steps to reproduce the behavior
+
+### gosec version
+
+### Go version (output of 'go version')
+
+### Operating system / Environment
+
+### Expected behavior
+
+### Actual behavior

.github/workflows/ci.yml

@@ -0,0 +1,66 @@
+name: CI
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    branches:
+      - master
+jobs:
+  test:
+    strategy:
+      matrix:
+        version: [{go: '1.22.6', golangci: 'latest'}, {go: '1.23.0', golangci: 'latest'}]
+    runs-on: ubuntu-latest
+    env:
+      GO111MODULE: on
+    steps:
+      - name: Setup go ${{ matrix.version.go }}
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ matrix.version.go }}
+      - name: Checkout Source
+        uses: actions/checkout@v4
+      - uses: actions/cache@v4
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+      - name: lint
+        uses: golangci/golangci-lint-action@v6
+        with:
+         version: ${{ matrix.version.golangci }}
+      - name: Run Gosec Security Scanner
+        uses: securego/gosec@master
+        with:
+          args: ./...
+      - name: Run Tests
+        run: make test
+      - name: Perf Diff
+        run: make perf-diff
+  coverage:
+    needs: [test]
+    runs-on: ubuntu-latest
+    env:
+      GO111MODULE: on
+    steps:
+      - name: Setup go
+        uses: actions/setup-go@v5
+        with:
+          go-version: '1.23.0'
+      - name: Checkout Source
+        uses: actions/checkout@v4
+      - uses: actions/cache@v4
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+      - name: Create Test Coverage
+        run: make test-coverage
+      - name: Upload Test Coverage
+        uses: codecov/codecov-action@v4
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+          fail_ci_if_error: true

.github/workflows/release.yml

@@ -0,0 +1,77 @@
+name: Release
+on:
+  push:
+    tags:
+      - 'v*'
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    env:
+      GO111MODULE: on
+      ACTIONS_ALLOW_UNSECURE_COMMANDS: true
+    steps:
+      - name: Checkout Source
+        uses: actions/checkout@v4
+      - name: Unshallow
+        run: git fetch --prune --unshallow
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: '1.23.0'
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3
+        with:
+          cosign-release: 'v2.2.4'
+      - name: Store Cosign private key in a file
+        run: 'echo "$COSIGN_KEY" > /tmp/cosign.key'
+        shell: bash
+        env:
+          COSIGN_KEY: ${{secrets.COSIGN_KEY}}
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Login to DockerHub
+        uses: docker/login-action@v3
+        with:
+          username: ${{secrets.DOCKER_USERNAME}}
+          password: ${{secrets.DOCKER_PASSWORD}}
+      - name: Generate SBOM
+        uses: CycloneDX/gh-gomod-generate-sbom@v2
+        with:
+          version: v1
+          args: mod -licenses -json -output bom.json
+      - name: Docker meta
+        uses: docker/metadata-action@v5
+        id: meta
+        with:
+          images: securego/gosec
+          flavor: |
+            latest=true
+          tags: |
+            type=sha,format=long
+            type=semver,pattern={{version}}
+      - name: Release Binaries
+        uses: goreleaser/goreleaser-action@v6
+        with:
+          version: latest
+          args: release --clean
+        env:
+          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+          COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
+      - name: Release Docker Image
+        uses: docker/build-push-action@v6
+        id: relimage
+        with:
+          platforms: linux/amd64,linux/arm/v7,linux/arm64,linux/ppc64le
+          tags: ${{steps.meta.outputs.tags}}
+          labels: ${{steps.meta.outputs.labels}}
+          push: true
+          build-args: GO_VERSION=1.23
+      - name: Sign Docker Image
+        run: cosign sign --yes --key /tmp/cosign.key ${DIGEST}
+        env:
+          TAGS: ${{steps.meta.outputs.tags}}
+          COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
+          COSIGN_PRIVATE_KEY: /tmp/cosign.key
+          DIGEST: ${{steps.relimage.outputs.digest}}

.github/workflows/scan.yml

@@ -0,0 +1,26 @@
+name: "Security Scan"
+
+# Run workflow each time code is pushed to your repository and on a schedule.
+# The scheduled workflow runs every at 00:00 on Sunday UTC time.
+on:
+  push:
+  pull_request:
+  schedule:
+  - cron: '0 0 * * 0'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v4
+    - name: Security Scan
+      uses: securego/gosec@master
+      with:
+        # we let the report trigger content trigger a failure using the GitHub Security features.
+        args: '-no-fail -fmt sarif -out results.sarif ./...'
+    - name: Upload SARIF file
+      uses: github/codeql-action/upload-sarif@v3
+      with:
+        # Path to SARIF file relative to the root of the repository
+        sarif_file: results.sarif

.gitignore

@@ -0,0 +1,40 @@
+# transient files
+/image
+
+# Compiled Object files, Static and Dynamic libs (Shared Objects)
+*.o
+*.a
+*.so
+*.swp
+/gosec
+
+# Folders
+_obj
+_test
+vendor
+dist
+
+# Architecture specific extensions/prefixes
+*.[568vq]
+[568vq].out
+
+*.cgo1.go
+*.cgo2.c
+_cgo_defun.c
+_cgo_gotypes.go
+_cgo_export.*
+
+_testmain.go
+
+*.exe
+*.test
+*.prof
+
+.DS_Store
+
+.vscode
+.idea
+
+# SBOMs generated during CI
+/bom.json
+1

.golangci.yml

@@ -0,0 +1,49 @@
+linters:
+  enable:
+    - asciicheck
+    - bodyclose
+    - copyloopvar
+    - dogsled
+    - durationcheck
+    - errcheck
+    - errorlint
+    - gci
+    - ginkgolinter
+    - gochecknoinits
+    - gofmt
+    - gofumpt
+    - goimports
+    - gosec
+    - gosimple
+    - govet
+    - importas
+    - ineffassign
+    - misspell
+    - nakedret
+    - nolintlint
+    - revive
+    - staticcheck
+    - typecheck
+    - unconvert
+    - unparam
+    - unused
+    - wastedassign
+
+linters-settings:
+  gci:
+    sections:
+      - standard
+      - default
+      - prefix(github.com/securego)
+  staticcheck:
+    checks:
+     - all
+     - '-SA1019'
+
+  revive:
+    rules:
+      - name: dot-imports
+        disabled: true
+
+run:
+  timeout: 5m

.goreleaser.yml

@@ -0,0 +1,37 @@
+---
+project_name: gosec
+
+release:
+  extra_files:
+    - glob: ./bom.json
+  github:
+    owner: securego
+    name: gosec
+
+builds:
+  - main: ./cmd/gosec/
+    binary: gosec
+    goos:
+      - darwin
+      - linux
+      - windows
+    goarch:
+      - amd64
+      - arm64
+      - s390x
+      - ppc64le
+    ldflags: -X main.Version={{.Version}} -X main.GitTag={{.Tag}} -X main.BuildDate={{.Date}}
+    env:
+      - CGO_ENABLED=0
+
+signs:
+- cmd: cosign
+  stdin: '{{ .Env.COSIGN_PASSWORD}}'
+  args:
+  - "sign-blob"
+  - "--key=/tmp/cosign.key"
+  - "--output=${signature}"
+  - "${artifact}"
+  - "--yes"
+  artifacts: all
+

Dockerfile

@@ -0,0 +1,15 @@
+ARG GO_VERSION
+FROM golang:${GO_VERSION}-alpine AS builder
+RUN apk add --no-cache ca-certificates make git curl gcc libc-dev \
+    && mkdir -p /build
+WORKDIR /build
+COPY . /build/
+RUN go mod download \
+    && make build-linux
+
+FROM golang:${GO_VERSION}-alpine 
+RUN apk add --no-cache ca-certificates bash git gcc libc-dev openssh
+ENV GO111MODULE on
+COPY --from=builder /build/gosec /bin/gosec
+COPY entrypoint.sh /bin/entrypoint.sh
+ENTRYPOINT ["/bin/entrypoint.sh"]