Added gosec support (as 'go-sec-*')

TekWizely · Mar 7, 2021 · d09b682 · d09b682
1 parent f167a2e
commit d09b682
Show file tree

Hide file tree

Showing 7 changed files with 266 additions and 4 deletions.
diff --git a/.pre-commit-hooks.yaml b/.pre-commit-hooks.yaml
@@ -140,6 +140,72 @@
     description: "Run 'goreturns -l -d [$ARGS] $FILE' for each staged .go file"
     pass_filenames: true
 
+# ==============================================================================
+# go-sec-mod
+#   * Folder-Based
+#   * Recursive
+#   * Targets first parent folder with a go.mod file
+#   * Executes if any .go files modified
+#   * Executes if go.mod modified
+# ==============================================================================
+-   id: go-sec-mod
+    name: 'go-sec-mod'
+    entry: go-sec-mod.sh
+    files: '(\.go$)|(\bgo\.mod$)'
+    exclude: '(^|/)vendor/'
+    language: 'script'
+    description: "Run 'cd $(mod_root $FILE); gosec [$ARGS] ./...' for each staged .go file"
+    pass_filenames: true
+    require_serial: true
+
+# ==============================================================================
+# go-sec-pkg
+#   * Folder-Based
+#   * Targets folder containing staged file
+#   * Executes if any .go files modified
+# ==============================================================================
+-   id: go-sec-pkg
+    name: 'go-sec-pkg'
+    entry: go-sec-pkg.sh
+    types: [go]
+    exclude: '(^|/)vendor/'
+    language: 'script'
+    description: "Run 'gosec [$ARGS] ./$(dirname $FILE)' for each staged .go file"
+    pass_filenames: true
+    require_serial: true
+
+# ==============================================================================
+# go-sec-repo-mod
+#   * Repo-Based
+#   * Recursive
+#   * Targets ALL folders with a go.mod file
+#   * Executes if any .go files modified
+#   * Executes if go.mod modified
+# ==============================================================================
+-   id: go-sec-repo-mod
+    name: 'go-sec-repo-mod'
+    entry: go-sec-repo-mod.sh
+    files: '(\.go$)|(\bgo\.mod$)'
+    exclude: '(^|/)vendor/'
+    language: 'script'
+    description: "Run 'cd $(mod_root); gosec [$ARGS] ./...' for each module in the repo"
+    pass_filenames: false
+
+# ==============================================================================
+# go-sec-repo-pkg
+#   * Repo-Based
+#   * Recursive
+#   * Executes if any .go files modified
+# ==============================================================================
+-   id: go-sec-repo-pkg
+    name: 'go-sec-repo-pkg'
+    entry: go-sec-repo-pkg.sh
+    types: [go]
+    exclude: '(^|/)vendor/'
+    language: 'script'
+    description: "Run 'gosec [$ARGS] ./...' in repo root folder"
+    pass_filenames: false
+
 # ==============================================================================
 # go-test-mod
 #   * Folder-Based

diff --git a/README.md b/README.md
@@ -54,6 +54,13 @@ You can copy/paste the following snippet into your `.pre-commit-config.yaml` fil
     -   id: go-vet-repo-mod
     -   id: go-vet-repo-pkg
     #
+    # GoSec
+    #
+    -   id: go-sec-mod
+    -   id: go-sec-pkg
+    -   id: go-sec-repo-mod
+    -   id: go-sec-repo-pkg
+    #
     # Formatters
     #
     -   id: go-fmt
@@ -160,6 +167,7 @@ Consider adding aliases to longer-named hooks for easier CLI usage.
    - [go-build](#go-build)
    - [go-test](#go-test)
    - [go-vet](#go-vet)
+   - [go-sec](#go-sec)
  - Formatters
    - [go-fmt](#go-fmt)
    - [go-imports](#go-imports)
@@ -194,10 +202,10 @@ Automates testing, printing a summary of test resutls.
 
 | Hook ID            | Description
 |--------------------|------------
-| `go-test-mod`      | Run `'cd $(mod_root $FILE); go test [$ARGS] ./...'` for each staged .go file
-| `go-test-pkg`      | Run `'go test [$ARGS] ./$(dirname $FILE)'` for each staged .go file
-| `go-test-repo-mod` | Run `'cd $(mod_root); go test [$ARGS] ./...'` for each module in the repo
-| `go-test-repo-pkg` | Run `'go test [$ARGS] ./...'` in repo root folder
+| `go-test-mod`      | Run `'cd $(mod_root $FILE); gosec [$ARGS] ./...'` for each staged .go file
+| `go-test-pkg`      | Run `'gosec [$ARGS] ./$(dirname $FILE)'` for each staged .go file
+| `go-test-repo-mod` | Run `'cd $(mod_root); gosec [$ARGS] ./...'` for each module in the repo
+| `go-test-repo-pkg` | Run `'gosec [$ARGS] ./...'` in repo root folder
 
 ##### Install
 Comes with Golang ( [golang.org](https://golang.org/) )
@@ -206,6 +214,26 @@ Comes with Golang ( [golang.org](https://golang.org/) )
  - https://golang.org/cmd/go/#hdr-Test_packages
  - `go help test`
 
+-----------
+### go-sec
+Inspects source code for security problems by scanning the Go AST.
+
+| Hook ID           | Description
+|-------------------|------------
+| `go-sec-mod`      | Run `'cd $(mod_root $FILE); gosec [$ARGS] ./...'` for each staged .go file
+| `go-sec-pkg`      | Run `'gosec [$ARGS] ./$(dirname $FILE)'` for each staged .go file
+| `go-sec-repo-mod` | Run `'cd $(mod_root); gosec [$ARGS] ./...'` for each module in the repo
+| `go-sec-repo-pkg` | Run `'gosec [$ARGS] ./...'` in repo root folder
+
+##### Install
+```
+go get github.com/securego/gosec/v2/cmd/gosec
+```
+
+##### Help
+ - https://github.com/securego/gosec#usage
+ - `gosec (no args)`
+
 ----------
 ### go-vet
 Examines Go source code and reports suspicious constructs, such as

diff --git a/go-sec-mod.sh b/go-sec-mod.sh
@@ -0,0 +1,70 @@
+#!/usr/bin/env bash
+
+cmd=(gosec)
+
+export GO111MODULE=on
+
+# Walks up the file path looking for go.mod
+#
+function find_module_roots() {
+	for arg in "$@" ; do
+	  local path="${arg}"
+	  if [ "${path}" == "" ]; then
+	    path="."
+	  elif [ -f "${path}" ]; then
+	    path=$(dirname "${path}")
+	  fi
+	  while [ "${path}" != "." ] && [ ! -f "${path}/go.mod" ]; do
+	    path=$(dirname "${path}")
+	  done
+	  if [ -f "${path}/go.mod" ]; then
+	  	echo "${path}"
+	  fi
+	done
+}
+
+OPTIONS=()
+# If arg doesn't pass [ -f ] check, then it is assumed to be an option
+#
+while [ $# -gt 0 ] && [ "$1" != "-" ] && [ "$1" != "--" ] && [ ! -f "$1" ]; do
+	OPTIONS+=("$1")
+	shift
+done
+
+FILES=()
+# Assume start of file list (may still be options)
+#
+while [ $# -gt 0 ] && [ "$1" != "-" ] && [ "$1" != "--" ]; do
+	FILES+=("$1")
+	shift
+done
+
+# If '--' next, then files = options
+#
+if [ $# -gt 0 ]; then
+	if [ "$1" == "-" ] || [ "$1" == "--" ]; then
+		shift
+		# Append to previous options
+		#
+		OPTIONS=("${OPTIONS[@]}" "${FILES[@]}")
+		FILES=()
+	fi
+fi
+
+# Any remaining arguments are assumed to be files
+#
+while [ $# -gt 0 ]; do
+	FILES+=("$1")
+	shift
+done
+
+errCode=0
+for sub in $(find_module_roots "${FILES[@]}" | sort -u) ; do
+	pushd "${sub}" >/dev/null
+	"${cmd[@]}" "${OPTIONS[@]}" ./...
+	if [ $? -ne 0 ]; then
+		errCode=1
+	fi
+	popd >/dev/null
+done
+exit $errCode
diff --git a/go-sec-pkg.sh b/go-sec-pkg.sh
@@ -0,0 +1,49 @@
+#!/usr/bin/env bash
+
+cmd=(gosec)
+
+export GO111MODULE=off
+
+OPTIONS=()
+# If arg doesn't pass [ -f ] check, then it is assumed to be an option
+#
+while [ $# -gt 0 ] && [ "$1" != "-" ] && [ "$1" != "--" ] && [ ! -f "$1" ]; do
+	OPTIONS+=("$1")
+	shift
+done
+
+FILES=()
+# Assume start of file list (may still be options)
+#
+while [ $# -gt 0 ] && [ "$1" != "-" ] && [ "$1" != "--" ]; do
+	FILES+=("$1")
+	shift
+done
+
+# If '--' next, then files = options
+#
+if [ $# -gt 0 ]; then
+	if [ "$1" == "-" ] || [ "$1" == "--" ]; then
+		shift
+		# Append to previous options
+		#
+		OPTIONS=("${OPTIONS[@]}" "${FILES[@]}")
+		FILES=()
+	fi
+fi
+
+# Any remaining arguments are assumed to be files
+#
+while [ $# -gt 0 ]; do
+	FILES+=("$1")
+	shift
+done
+
+errCode=0
+for sub in $(echo "${FILES[@]}" | xargs -n1 dirname | sort -u); do
+	"${cmd[@]}" "${OPTIONS[@]}" "./${sub}"
+	if [ $? -ne 0 ]; then
+		errCode=1
+	fi
+done
+exit $errCode
diff --git a/go-sec-repo-mod.sh b/go-sec-repo-mod.sh
@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+
+cmd=(gosec)
+
+export GO111MODULE=on
+
+OPTIONS=()
+# Build options list, ignoring '-', '--', and anything after
+#
+while [ $# -gt 0 ] && [ "$1" != "-" ] && [ "$1" != "--" ]; do
+	OPTIONS+=("$1")
+	shift
+done
+
+errCode=0
+# Assume parent folder of go.mod is module root folder
+#
+for sub in $(find . -name go.mod -not -path '*/vendor/*' | xargs -n1 dirname | sort -u) ; do
+	pushd "${sub}" >/dev/null
+	"${cmd[@]}" "${OPTIONS[@]}" ./...
+	if [ $? -ne 0 ]; then
+		errCode=1
+	fi
+	popd >/dev/null
+done
+exit $errCode
diff --git a/go-sec-repo-pkg.sh b/go-sec-repo-pkg.sh
@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+set -e
+
+cmd=(gosec)
+
+export GO111MODULE=off
+
+OPTIONS=()
+# Build options list, ignoring '-', '--', and anything after
+#
+while [ $# -gt 0 ] && [ "$1" != "-" ] && [ "$1" != "--" ]; do
+	OPTIONS+=("$1")
+	shift
+done
+
+"${cmd[@]}" "${OPTIONS[@]}" ./...
diff --git a/sample-config.yaml b/sample-config.yaml
@@ -97,6 +97,13 @@ repos:
     -   id: go-vet-repo-mod
     -   id: go-vet-repo-pkg
     #
+    # GoSec
+    #
+    -   id: go-sec-mod
+    -   id: go-sec-pkg
+    -   id: go-sec-repo-mod
+    -   id: go-sec-repo-pkg
+    #
     # Formatters
     #
     -   id: go-fmt