You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
As part of the OpenSSF badge to cover dynamic code checking, testing binaries is an accepted building block to solve this. checksec checks for properties of executables (like PIE, RELRO, Canaries, ASLR, Fortify Source) and can provide JSON output for automated processing.
Running checksec as part of the pipeline during Pull Requests and assert that fortifications are present.
./checksec --extended --file=controller
(--format=json provides json output)
Describe alternatives you've considered
Running as a job that is allowed to fail is another option. This seems unlikely to happen once it is working but not impossible e.g. when a new feature is added. One solution may be version pinning though.
Environment
Production builds
Additional context
generally the whole problem space gets simpler for fully static binaries, however cgo is by default enabled for DNS resolution to make use of nsswitch.conf https://pkg.go.dev/net#pkg-overview (and openssl when using the Microsoft fork)
The text was updated successfully, but these errors were encountered:
Thanks for opening this issue 👍. The team will review it shortly.
If this is a bug report, make sure to include clear instructions how on to reproduce the problem with minimal reproducible examples, where possible. If this is a security report, please review our security policy as outlined in SECURITY.md.
If you haven't already, please take a moment to review our project's Code of Conduct document.
Is your feature request related to a problem? Please describe.
As part of the OpenSSF badge to cover dynamic code checking, testing binaries is an accepted building block to solve this.
checksec
checks for properties of executables (like PIE, RELRO, Canaries, ASLR, Fortify Source) and can provide JSON output for automated processing.https://slimm609.github.io/checksec.sh/
Describe the solution you'd like
Running
checksec
as part of the pipeline during Pull Requests and assert that fortifications are present.(
--format=json
provides json output)Describe alternatives you've considered
Running as a job that is allowed to fail is another option. This seems unlikely to happen once it is working but not impossible e.g. when a new feature is added. One solution may be version pinning though.
Environment
Additional context
The text was updated successfully, but these errors were encountered: