Merge pull request #9180 from chrischdi/pr-govulncheck-1.4

[release-1.4] 🌱 Add verify-govulncheck and verify-vulnerabilities targets and integrate to scan action
kubernetes-sigs · Aug 14, 2023 · f5ed03f · f5ed03f
2 parents 5b97514 + 57ec6f3
commit f5ed03f
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 4 deletions.
diff --git a/.github/workflows/scan.yml → .github/workflows/weekly-security-scan.yaml b/.github/workflows/scan.yml → .github/workflows/weekly-security-scan.yaml
@@ -1,4 +1,4 @@
-name: scan-images
+name: Weekly security scan
 
 on:
   schedule:
@@ -28,5 +28,5 @@ jobs:
       uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # tag=v3.5.0
       with:
         go-version: ${{ steps.vars.outputs.go_version }}
-    - name: Run verify container script
-      run: make verify-container-images
+    - name: Run verify security target
+      run: make verify-security
diff --git a/Makefile b/Makefile
@@ -163,6 +163,11 @@ GOLANGCI_LINT_VER := $(shell cat .github/workflows/golangci-lint.yml | grep [[:s
 GOLANGCI_LINT := $(abspath $(TOOLS_BIN_DIR)/$(GOLANGCI_LINT_BIN)-$(GOLANGCI_LINT_VER))
 GOLANGCI_LINT_PKG := github.com/golangci/golangci-lint/cmd/golangci-lint
 
+GOVULNCHECK_BIN := govulncheck
+GOVULNCHECK_VER := v1.0.0
+GOVULNCHECK := $(abspath $(TOOLS_BIN_DIR)/$(GOVULNCHECK_BIN)-$(GOVULNCHECK_VER))
+GOVULNCHECK_PKG := golang.org/x/vuln/cmd/govulncheck
+
 CONVERSION_VERIFIER_BIN := conversion-verifier
 CONVERSION_VERIFIER := $(abspath $(TOOLS_BIN_DIR)/$(CONVERSION_VERIFIER_BIN))
 
@@ -623,6 +628,24 @@ verify-tiltfile: ## Verify Tiltfile format
 verify-container-images: ## Verify container images
 	TRACE=$(TRACE) ./hack/verify-container-images.sh
 
+.PHONY: verify-govulncheck
+verify-govulncheck: $(GOVULNCHECK) ## Verify code for vulnerabilities
+	$(GOVULNCHECK) ./... && R1=$$? || R1=$$?; \
+	$(GOVULNCHECK) -C "$(TOOLS_DIR)" ./... && R2=$$? || R2=$$?; \
+	$(GOVULNCHECK) -C "$(TEST_DIR)" ./... && R3=$$? || R3=$$?; \
+	if [ "$$R1" -ne "0" ] || [ "$$R2" -ne "0" ] || [ "$$R3" -ne "0" ]; then \
+		exit 1; \
+	fi
+
+.PHONY: verify-security
+verify-security: ## Verify code and images for vulnerabilities
+	$(MAKE) verify-container-images && R1=$$? || R1=$$?; \
+	$(MAKE) verify-govulncheck && R2=$$? || R2=$$?; \
+	if [ "$$R1" -ne "0" ] || [ "$$R2" -ne "0" ]; then \
+	  echo "Check for vulnerabilities failed! There are vulnerabilities to be fixed"; \
+		exit 1; \
+	fi
+
 ## --------------------------------------
 ## Binaries
 ## --------------------------------------
@@ -1182,6 +1205,9 @@ $(GINKGO_BIN): $(GINKGO) ## Build a local copy of ginkgo.
 .PHONY: $(GOLANGCI_LINT_BIN)
 $(GOLANGCI_LINT_BIN): $(GOLANGCI_LINT) ## Build a local copy of golangci-lint.
 
+.PHONY: $(GOVULNCHECK_BIN)
+$(GOVULNCHECK_BIN): $(GOVULNCHECK) ## Build a local copy of govulncheck.
+
 $(CONTROLLER_GEN): # Build controller-gen from tools folder.
 	GOBIN=$(TOOLS_BIN_DIR) $(GO_INSTALL) $(CONTROLLER_GEN_PKG) $(CONTROLLER_GEN_BIN) $(CONTROLLER_GEN_VER)
 
@@ -1233,6 +1259,9 @@ $(GINKGO): # Build ginkgo from tools folder.
 $(GOLANGCI_LINT): # Build golangci-lint from tools folder.
 	GOBIN=$(TOOLS_BIN_DIR) $(GO_INSTALL) $(GOLANGCI_LINT_PKG) $(GOLANGCI_LINT_BIN) $(GOLANGCI_LINT_VER)
 
+$(GOVULNCHECK): # Build govulncheck.
+	GOBIN=$(TOOLS_BIN_DIR) $(GO_INSTALL) $(GOVULNCHECK_PKG) $(GOVULNCHECK_BIN) $(GOVULNCHECK_VER)
+
 ## --------------------------------------
 ## Helpers
 ## --------------------------------------

diff --git a/hack/verify-container-images.sh b/hack/verify-container-images.sh
@@ -71,7 +71,7 @@ NC='\033[0m' # No
 
 if [ "$R1" -ne "0" ] || [ "$R2"  -ne "0" ] || [ "$R3" -ne "0" ] || [ "$R4" -ne "0"  ] || [ "$R5" -ne "0"  ] || [ "$R6" -ne "0" ]
 then
-  echo -e "${BRed}Check container images failed! There are vulnerability to be fixed${NC}"
+  echo -e "${BRed}Check container images failed! There are vulnerabilities to be fixed${NC}"
   exit 1
 fi