go-security-check

This Pipelines Task runs gosec code security analysis.

Prerequisites

This task requires Go to be installed. If Go is not available, consider using the jfrog/setup-go task to install it.

Usage

Basic:

- task: jfrog/go-security-check@v0.1.0  
  input:
    goSecVersion: "v2.15.0"
    resourceName: "my_gitrepo"
    sourcePath: "src/service"  

You can select which rules to run using the includeRules input:

- task: jfrog/go-security-check@v0.1.0  
  input:
    goSecVersion: "v2.15.0"
    resourceName: "my_gitrepo"
    sourcePath: "src/service"    
    includeRules: "G101,G203"

If you prefer, you can exclude specific rules using the excludeRules input:

- task: jfrog/go-security-check@v0.1.0  
  input:
    goSecVersion: "v2.15.0"
    resourceName: "my_gitrepo"
    sourcePath: "src/service"    
    excludeRules: "G303" 

Additional arguments can be passed to the gosec tool using the optionalCommandArgs input:

- task: jfrog/go-security-check@v0.1.0  
  input:
    goSecVersion: "v2.15.0"
    resourceName: "my_gitrepo"
    sourcePath: "src/service"    
    optionalCommandArgs: "--tests -exclude-dir=tests"    

The desired output format can be selected using the outputFormat input:

- task: jfrog/go-security-check@v0.1.0  
  input:
    goSecVersion: "v2.15.0"
    resourceName: "my_gitrepo"
    sourcePath: "src/service"
    outputFormat: "json"

Input Variables

Output Variables

None

Exported Environment Variables

None

How does it work?

This task installs the gosec tool from github.com/securego/gosec/v2 and runs it at the source code location with the parameters specified in the task's inputs.

License

This project is licensed under Apache 2.0 license.