ivuorinen/gibidify
1
0
Fork 0
mirror of https://github.com/ivuorinen/gibidify.git synced 2026-01-26 11:34:03 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
gibidify/scripts/gosec.sh
Ismo Vuorinen 95b7ef6dd3 chore: modernize workflows, security scanning, and linting configuration (#50) 
* build: update Go 1.25, CI workflows, and build tooling

- Upgrade to Go 1.25
- Add benchmark targets to Makefile
- Implement parallel gosec execution
- Lock tool versions for reproducibility
- Add shellcheck directives to scripts
- Update CI workflows with improved caching

* refactor: migrate from golangci-lint to revive

- Replace golangci-lint with revive for linting
- Configure comprehensive revive rules
- Fix all EditorConfig violations
- Add yamllint and yamlfmt support
- Remove deprecated .golangci.yml

* refactor: rename utils to shared and deduplicate code

- Rename utils package to shared
- Add shared constants package
- Deduplicate constants across packages
- Address CodeRabbit review feedback

* fix: resolve SonarQube issues and add safety guards

- Fix all 73 SonarQube OPEN issues
- Add nil guards for resourceMonitor, backpressure, metricsCollector
- Implement io.Closer for headerFileReader
- Propagate errors from processing helpers
- Add metrics and templates packages
- Improve error handling across codebase

* test: improve test infrastructure and coverage

- Add benchmarks for cli, fileproc, metrics
- Improve test coverage for cli, fileproc, config
- Refactor tests with helper functions
- Add shared test constants
- Fix test function naming conventions
- Reduce cognitive complexity in benchmark tests

* docs: update documentation and configuration examples

- Update CLAUDE.md with current project state
- Refresh README with new features
- Add usage and configuration examples
- Add SonarQube project configuration
- Consolidate config.example.yaml

* fix: resolve shellcheck warnings in scripts

- Use ./*.go instead of *.go to prevent dash-prefixed filenames
  from being interpreted as options (SC2035)
- Remove unreachable return statement after exit (SC2317)
- Remove obsolete gibidiutils/ directory reference

* chore(deps): upgrade go dependencies

* chore(lint): megalinter fixes

* fix: improve test coverage and fix file descriptor leaks

- Add defer r.Close() to fix pipe file descriptor leaks in benchmark tests
- Refactor TestProcessorConfigureFileTypes with helper functions and assertions
- Refactor TestProcessorLogFinalStats with output capture and keyword verification
- Use shared constants instead of literal strings (TestFilePNG, FormatMarkdown, etc.)
- Reduce cognitive complexity by extracting helper functions

* fix: align test comments with function names

Remove underscores from test comments to match actual function names:
- benchmark/benchmark_test.go (2 fixes)
- fileproc/filetypes_config_test.go (4 fixes)
- fileproc/filetypes_registry_test.go (6 fixes)
- fileproc/processor_test.go (6 fixes)
- fileproc/resource_monitor_types_test.go (4 fixes)
- fileproc/writer_test.go (3 fixes)

* fix: various test improvements and bug fixes

- Remove duplicate maxCacheSize check in filetypes_registry_test.go
- Shorten long comment in processor_test.go to stay under 120 chars
- Remove flaky time.Sleep in collector_test.go, use >= 0 assertion
- Close pipe reader in benchmark_test.go to fix file descriptor leak
- Use ContinueOnError in flags_test.go to match ResetFlags behavior
- Add nil check for p.ui in processor_workers.go before UpdateProgress
- Fix resource_monitor_validation_test.go by setting hardMemoryLimitBytes directly

* chore(yaml): add missing document start markers

Add --- document start to YAML files to satisfy yamllint:
- .github/workflows/codeql.yml
- .github/workflows/build-test-publish.yml
- .github/workflows/security.yml
- .github/actions/setup/action.yml

* fix: guard nil resourceMonitor and fix test deadlock

- Guard resourceMonitor before CreateFileProcessingContext call
- Add ui.UpdateProgress on emergency stop and path error returns
- Fix potential deadlock in TestProcessFile using wg.Go with defer close
2025-12-10 19:07:11 +02:00

146 lines
3.8 KiB
Bash
Executable File
Raw Permalink Blame History

#!/usr/bin/env bash
# Gosec security scanner script for individual Go files
# Runs gosec on each Go directory and reports issues per file
set -euo pipefail
# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m' # No Color
# If NO_COLOR is set, disable colors
if [[ -n "${NO_COLOR:-}" ]]; then
RED=''
GREEN=''
YELLOW=''
BLUE=''
NC=''
fi
# Function to print status
print_status() {
local msg="$1"
echo -e "${BLUE}[INFO]${NC} $msg"
return 0
}
print_warning() {
local msg="$1"
echo -e "${YELLOW}[WARN]${NC} $msg" >&2
return 0
}
print_error() {
local msg="$1"
echo -e "${RED}[ERROR]${NC} $msg" >&2
return 0
}
print_success() {
local msg="$1"
echo -e "${GREEN}[SUCCESS]${NC} $msg"
return 0
}
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
cd "$PROJECT_ROOT" || {
print_error "Failed to change directory to $PROJECT_ROOT"
exit 1
}
# Check if gosec is available
if ! command -v gosec &>/dev/null; then
print_error "gosec not found. Please install it first:"
print_error "go install github.com/securego/gosec/v2/cmd/gosec@latest"
exit 1
fi
# Check if jq is available
if ! command -v jq &>/dev/null; then
print_error "jq not found. Please install it first:"
print_error "brew install jq # on macOS"
print_error "apt-get install jq # on Ubuntu/Debian"
exit 1
fi
# Get all Go files and unique directories
GO_FILES=$(find . -name "*.go" -not -path "./.*" | sort)
TOTAL_FILES=$(echo "$GO_FILES" | wc -l | tr -d ' ')
DIRECTORIES=$(echo "$GO_FILES" | xargs -n1 dirname | sort -u)
TOTAL_DIRS=$(echo "$DIRECTORIES" | wc -l | tr -d ' ')
print_status "Found $TOTAL_FILES Go files in $TOTAL_DIRS directories"
print_status "Running gosec security scan..."
ISSUES_FOUND=0
FILES_WITH_ISSUES=0
CURRENT_DIR=0
# Create a temporary directory for reports
TEMP_DIR=$(mktemp -d)
trap 'rm -rf "$TEMP_DIR"' EXIT
# Process each directory
while IFS= read -r dir; do
CURRENT_DIR=$((CURRENT_DIR + 1))
echo -ne "\r${BLUE}[PROGRESS]${NC} Scanning $CURRENT_DIR/$TOTAL_DIRS: $dir "
# Run gosec on the directory
REPORT_FILE="$TEMP_DIR/$(echo "$dir" | tr '/' '_' | tr '.' '_').json"
if gosec -fmt=json "$dir" >"$REPORT_FILE" 2>/dev/null; then
# Check for issues in all files in this directory
ISSUES=$(jq -r '.Issues // [] | length' "$REPORT_FILE" 2>/dev/null || echo "0")
if [[ "$ISSUES" -gt 0 ]]; then
echo # New line after progress
print_warning "Found $ISSUES security issue(s) in directory $dir:"
# Group issues by file and display them
jq -r '.Issues[] | "\(.file)|\(.rule_id)|\(.details)|\(.line)"' "$REPORT_FILE" 2>/dev/null | while IFS='|' read -r file rule details line; do
if [[ -n "$file" ]]; then
# Only count each file once
if ! grep -q "$file" "$TEMP_DIR/processed_files.txt" 2>/dev/null; then
echo "$file" >>"$TEMP_DIR/processed_files.txt"
FILES_WITH_ISSUES=$((FILES_WITH_ISSUES + 1))
fi
echo " $file:$line$rule: $details"
fi
done
ISSUES_FOUND=$((ISSUES_FOUND + ISSUES))
echo
fi
else
echo # New line after progress
print_error "Failed to scan directory $dir"
fi
done <<<"$DIRECTORIES"
echo # Final new line after progress
# Count actual files with issues
if [[ -f "$TEMP_DIR/processed_files.txt" ]]; then
FILES_WITH_ISSUES=$(wc -l <"$TEMP_DIR/processed_files.txt" | tr -d ' ')
fi
# Summary
print_status "Gosec scan completed!"
print_status "Directories scanned: $TOTAL_DIRS"
print_status "Files scanned: $TOTAL_FILES"
if [[ $ISSUES_FOUND -eq 0 ]]; then
print_success "No security issues found! 🎉"
exit 0
else
print_warning "Found $ISSUES_FOUND security issue(s) in $FILES_WITH_ISSUES file(s)"
print_status "Review the issues above and fix them before proceeding"
exit 1
fi
Reference in New Issue View Git Blame Copy Permalink