Adapt pipeline_definitions to include SAST linting logs in OCM descri…

…ptor (#959) * Add newline at the end of files * Adapt pipeline_definitions to include SAST linting logs in OCM descriptor
gardener · Jan 17, 2025 · 20acd80 · 20acd80
1 parent f733669
commit 20acd80
Show file tree

Hide file tree

Showing 5 changed files with 21 additions and 4 deletions.
diff --git a/.ci/pipeline_definitions b/.ci/pipeline_definitions
@@ -1,5 +1,12 @@
 machine-controller-manager:
   base_definition:
+    repo:
+      source_labels:
+        - name: cloud.gardener.cnudie/dso/scanning-hints/source_analysis/v1
+          value:
+            policy: skip
+            comment: |
+              we use gosec for sast scanning. See attached log.
     traits:
       version:
         preprocess:
@@ -55,6 +62,16 @@ machine-controller-manager:
           ocm_repository: europe-docker.pkg.dev/gardener-project/releases
         release:
           nextversion: 'bump_minor'
+          assets:
+            - type: build-step-log
+              step_name: check
+              purposes:
+                - lint
+                - sast
+                - gosec
+              comment: |
+                we use gosec (linter) for SAST scans
+                see: https://github.com/securego/gosec
         publish:
           dockerimages:
             machine-controller-manager:

diff --git a/hack/add_license_headers.sh b/hack/add_license_headers.sh
@@ -23,4 +23,4 @@ addlicense \
   -ignore "**/*.md" \
   -ignore "**/*.yaml" \
   -ignore "**/Dockerfile" \
-  .
+  .
diff --git a/hack/sast.sh b/hack/sast.sh
@@ -41,4 +41,4 @@ fi
 # Thus, generated code is excluded from gosec scan.
 # Nested go modules are not supported by gosec (see https://github.com/securego/gosec/issues/501), so the ./hack folder
 # is excluded too. It does not contain productive code anyway.
-gosec -exclude-generated -exclude-dir=hack $gosec_report_parse_flags ./...
+gosec -exclude-generated -exclude-dir=hack $gosec_report_parse_flags ./...
diff --git a/hack/tools.mk b/hack/tools.mk
@@ -81,4 +81,4 @@ $(GOLANGCI_LINT): $(TOOLS_BIN_DIR)
 	GOBIN=$(abspath $(TOOLS_BIN_DIR)) go install github.com/golangci/golangci-lint/cmd/golangci-lint@$(GOLANGCI_LINT_VERSION)
 
 $(GOSEC):
-	GOSEC_VERSION=$(GOSEC_VERSION) bash $(TOOLS_PKG_PATH)/install-gosec.sh
+	GOSEC_VERSION=$(GOSEC_VERSION) bash $(TOOLS_PKG_PATH)/install-gosec.sh
diff --git a/hack/tools/install-gosec.sh b/hack/tools/install-gosec.sh
@@ -37,4 +37,4 @@ curl -L -o ${temp_dir}/${file_name} "https://github.com/securego/gosec/releases/
 
 tar -xzm -C "${temp_dir}" -f "${temp_dir}/${file_name}"
 mv "${temp_dir}/gosec" $TOOLS_BIN_DIR
-chmod +x $TOOLS_BIN_DIR/gosec
+chmod +x $TOOLS_BIN_DIR/gosec