This Pipelines Task runs gosec code security analysis.
Prerequisites
This task requires Go to be installed. If Go is not available, consider using the jfrog/setup-go
task to install it.
Usage
Basic:
- task: jfrog/go-security-check@v0.1.0 input: goSecVersion: "v2.15.0" resourceName: "my_gitrepo" sourcePath: "src/service"
You can select which rules to run using the includeRules
input:
- task: jfrog/go-security-check@v0.1.0 input: goSecVersion: "v2.15.0" resourceName: "my_gitrepo" sourcePath: "src/service" includeRules: "G101,G203"
If you prefer, you can exclude specific rules using the excludeRules
input:
- task: jfrog/go-security-check@v0.1.0 input: goSecVersion: "v2.15.0" resourceName: "my_gitrepo" sourcePath: "src/service" excludeRules: "G303"
Additional arguments can be passed to the gosec tool using the optionalCommandArgs
input:
- task: jfrog/go-security-check@v0.1.0 input: goSecVersion: "v2.15.0" resourceName: "my_gitrepo" sourcePath: "src/service" optionalCommandArgs: "--tests -exclude-dir=tests"
The desired output format can be selected using the outputFormat
input:
- task: jfrog/go-security-check@v0.1.0 input: goSecVersion: "v2.15.0" resourceName: "my_gitrepo" sourcePath: "src/service" outputFormat: "json"
Input Variables
Name | Required | Default | Description |
---|---|---|---|
goSecVersion | false | latest | Go Security check version to be used |
resourceName | true |
| GitRepo Resource name to be scanned |
sourcePath | false | . | Path to the Go source code where go.mod file resides. If not provided, it will use the path of the given resource |
includeRules | false |
| Rules that will be included while running Go Sec |
excludeRules | false |
| Rules that will be excluded while running Go Sec |
optionalCommandArgs | false | Additional arguments to the Go Sec command | |
outputFormat | false | text | Output format: json, yaml, csv, junit-xml, html, sonarqube, golint, sarif or text |
Output Variables
None
Exported Environment Variables
None
How does it work?
This task installs the gosec tool from github.com/securego/gosec/v2
and runs it at the source code location with the parameters specified in the task's inputs.
License
This project is licensed under Apache 2.0 license.