Spaces:

AUXteam
/

WitNote

Sleeping

App Files Files Community

WitNote / scripts /check-gosec.sh

AUXteam

Upload folder using huggingface_hub

6a7089a verified 9 days ago

raw

history blame contribute delete

2.61 kB

	#!/bin/bash
	# Run gosec security scan locally with the same config as CI
	set -e

	# Ensure ~/go/bin is in PATH
	export PATH="$HOME/go/bin:$PATH"

	# Check if gosec is installed
	if ! command -v gosec &> /dev/null; then
	echo "Installing gosec..."
	go install github.com/securego/gosec/v2/cmd/gosec@latest
	fi

	echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
	echo "Running gosec security scan..."
	echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
	echo ""
	echo "⏱️ This may take 3-5 minutes on local machines"
	echo " (CI runs faster on optimized GitHub runners)"
	echo ""

	START_TIME=$(date +%s)

	# Run gosec with the same config as CI
	# Note: This scans all Go code, same as the CI does
	gosec -exclude=G301,G302,G304,G306,G404,G107,G115,G703,G704,G705,G706 \
	-fmt=json \
	-out=gosec-results.json \
	./... 2>&1 \| grep -E "Checking (file\|package)" \| tail -10 \|\| true

	END_TIME=$(date +%s)
	DURATION=$((END_TIME - START_TIME))

	echo ""
	echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
	echo "Security Scan Results (${DURATION}s)"
	echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"

	# Check if results file exists
	if [ ! -f gosec-results.json ]; then
	echo "❌ No results file generated (scan may have failed)"
	exit 1
	fi

	cat gosec-results.json \| jq -r '.Stats'
	echo ""

	# Check for critical findings (same as CI)
	ISSUES=$(cat gosec-results.json \| jq '[.Issues[] \| select(.rule_id == "G112" or .rule_id == "G204")] \| length')
	echo "Critical issues (G112, G204): $ISSUES"

	if [ "$ISSUES" -gt 0 ]; then
	echo ""
	echo "❌ CRITICAL ISSUES FOUND (will fail CI):"
	cat gosec-results.json \| jq -r '.Issues[] \| select(.rule_id == "G112" or .rule_id == "G204")'
	echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
	exit 1
	else
	echo "✅ No critical issues (CI will pass)"

	TOTAL=$(cat gosec-results.json \| jq '.Stats.found')
	if [ "$TOTAL" -gt 0 ]; then
	echo ""
	echo "ℹ️ Other issues found (excluded from CI):"
	cat gosec-results.json \| jq -r '.Issues[0:5] \| .[] \| " \(.severity): \(.rule_id) at \(.file):\(.line)"'
	echo ""
	echo "Full report: gosec-results.json"
	fi
	fi

	echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"