-
Notifications
You must be signed in to change notification settings - Fork 0
38 lines (35 loc) · 1.14 KB
/
gosec-pr-validation.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
name: GoSecPRValidation
on: [pull_request]
concurrency:
group: gosec-${{ github.ref }}
cancel-in-progress: true
jobs:
gosec-pr-scan:
runs-on: ubuntu-latest
container:
image: gcr.io/spectro-dev-public/bulwark/gosec:latest
env:
REPO: ${{ github.event.repository.name }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
steps:
- name: gosec-scan
shell: sh
env:
BRANCH: ${{ github.head_ref || github.ref_name }}
GO111MODULE: on
run: /workspace/bulwark -name CodeSASTGoSec -verbose -target $REPO -tags "branch:$BRANCH,rules:-G101"
- name: check-result
shell: sh
run: |
resultPath=$REPO-result.json
issues=$(cat $resultPath | jq -r '.Stats.found')
echo "Found ${issues} issues"
echo "Issues by Rule ID"
jq -r '.Issues | group_by (.rule_id)[] | {rule: .[0].rule_id, count: length}' $resultPath
if [ "$issues" -gt 0 ]; then
echo "GoSec SAST scan failed with below findings..."
cat $resultPath
exit 1
else
echo "GoSec SAST scan passed"
fi