ci: setup ci

.github/workflows/bulwark-gitleaks.yaml

@@ -0,0 +1,39 @@
+name: BulwarkGitLeaks
+
+on:
+  pull_request:
+  workflow_dispatch:
+
+concurrency:
+  group: gitleaks-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  gitleaks-pr-scan:
+    runs-on: ubuntu-latest
+    container:
+      image: gcr.io/spectro-dev-public/bulwark/gitleaks:latest
+      env:
+        REPO: ${{ github.event.repository.name }}
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        GITLEAKS_CONFIG: /workspace/config.toml
+    steps:
+
+      - name: run-bulwark-gitleaks-scan
+        shell: sh
+        env:
+          BRANCH: ${{ github.head_ref || github.ref_name }}
+        run: /workspace/bulwark -name CodeSASTGitLeaks -organization spectrocloud-labs -target $REPO -tags "branch:$BRANCH,options:--log-opts origin..HEAD"
+
+      - name: check-result
+        shell: sh
+        run: |
+          resultPath=./$REPO/gitleaks.json
+          cat $resultPath | grep -v \"Match\"\: | grep -v \"Secret\"\:
+          total_failed_tests=`cat $resultPath | grep \"Fingerprint\"\: | wc -l`
+          if [ "$total_failed_tests" -gt 0 ]; then
+            echo "GitLeaks validation check failed with above findings..."
+            exit 1
+          else
+            echo "GitLeaks validation check passed"
+          fi

.github/workflows/bulwark-golicenses.yaml

@@ -0,0 +1,31 @@
+name: GoLicenses
+
+on:
+  pull_request:
+  workflow_dispatch:
+
+concurrency:
+  group: golicenses-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  golicense-pr-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - name: install-git
+        run: sudo apt-get install -y git
+
+      - name: install-golicenses
+        run: GOBIN=/usr/local/bin go install github.com/google/go-licenses@v1.0.0
+
+      - name: checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+
+      - name: Set up Go
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4
+        with:
+          go-version: '1.22'
+
+      - name: golicense-scan
+        run: |
+          go-licenses check ./...

.github/workflows/bulwark-gosec.yaml

@@ -0,0 +1,49 @@
+name: BulwarkGoSec
+
+on:
+  pull_request:
+  workflow_dispatch:
+
+concurrency:
+  group: gosec-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  gosec-pr-scan:
+    runs-on: ubuntu-latest
+    container:
+      image: gcr.io/spectro-dev-public/bulwark/gosec:latest
+      env:
+        REPO: ${{ github.event.repository.name }}
+    steps:
+
+      - name: Set up Go
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4
+        with:
+          go-version: '1.22'
+
+      - name: checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+
+      - name: run-gosec-scan
+        shell: sh
+        env:
+          BRANCH: ${{ github.head_ref || github.ref_name }}
+          GO111MODULE: on
+        run: /workspace/bulwark -name CodeSASTGoSec -verbose -organization spectrocloud-labs -target $REPO -tags "branch:$BRANCH"
+
+      - name: check-result
+        shell: sh
+        run: |
+          resultPath=$REPO-result.json
+          issues=$(cat $resultPath | jq -r '.Stats.found')
+          echo "Found ${issues} issues"
+          echo "Issues by Rule ID"
+          jq -r '.Issues | group_by (.rule_id)[] | {rule: .[0].rule_id, count: length}' $resultPath
+          if [ "$issues" -gt 0 ]; then
+            echo "GoSec SAST scan failed with below findings..."
+            cat $resultPath
+            exit 1
+          else
+            echo "GoSec SAST scan passed"
+          fi

.github/workflows/bulwark-govulncheck.yaml

@@ -0,0 +1,27 @@
+name: GoVulnCheck
+
+on:
+  pull_request:
+  workflow_dispatch:
+
+concurrency:
+  group: govulncheck-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  govulncheck-pr-scan:
+    runs-on: ubuntu-latest
+    container:
+      image: gcr.io/spectro-images-public/golang:1.22-alpine
+    steps:
+      - name: install-govulncheck
+        run: GOBIN=/usr/local/bin go install golang.org/x/vuln/cmd/govulncheck@latest
+
+      - name: checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+
+      - name: govulncheck-scan
+        run: |
+          go version
+          govulncheck -mode source ./...
+

.github/workflows/ci.yaml

@@ -0,0 +1,19 @@
+on:
+  push:
+  workflow_dispatch:
+
+jobs:
+  lint-and-test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Unshallow
+        run: git fetch --prune --unshallow
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: 1.22
+      - name: Test
+        run: make test
+

.gitignore

@@ -0,0 +1,4 @@
+bin/*
+!bin/.gitkeep
+_build
+.DS_Store

.golangci.yaml

@@ -0,0 +1,53 @@
+## golangci-lint v1.55.2
+
+# References:
+# - https://golangci-lint.run/usage/linters/
+# - https://gist.github.com/maratori/47a4d00457a92aa426dbd48a18776322
+
+run:
+  timeout: 10m # default 1m
+
+linters-settings:
+  gosimple:
+    go: "1.21" # default 1.13
+  govet:
+    enable-all: true
+    disable:
+      - fieldalignment # too strict
+      - shadow # too strict
+  staticcheck:
+    go: "1.21" # default 1.13
+
+  # Non-default
+  cyclop:
+    max-complexity: 12 # maximal code complexity to report; default 10
+    package-average: 0.0 # maximal average package complexity to report; default 0.0
+  gocognit:
+    min-complexity: 30 # minimal code complexity to report; default: 30
+
+linters:
+  disable-all: true
+  enable:
+    ## enabled by default
+    - errcheck # Errcheck is a program for checking for unchecked errors in go programs. These unchecked errors can be critical bugs in some cases
+    - ineffassign # Detects when assignments to existing variables are not used
+    - typecheck # Like the front-end of a Go compiler, parses and type-checks Go code
+    - gosimple # Linter for Go source code that specializes in simplifying a code
+    - govet # Vet examines Go source code and reports suspicious constructs, such as Printf calls whose arguments do not align with the format string
+    - unused # Checks Go code for unused constants, variables, functions and types
+    - staticcheck # Staticcheck is a go vet on steroids, applying a ton of static analysis checks
+    ## disabled by default
+    - cyclop # checks function and package cyclomatic complexity
+    - gocognit # Computes and checks the cognitive complexity of functions
+
+issues:
+  max-issues-per-linter: 0
+  max-same-issues: 0
+  exclude-rules:
+    - path: _test\.go
+      linters:
+        - errcheck
+        - gosimple
+        - ineffassign
+        - staticcheck
+        - unused

Makefile

@@ -0,0 +1,48 @@
+# If you update this file, please follow:
+# https://suva.sh/posts/well-documented-makefiles/
+
+.DEFAULT_GOAL:=help
+
+# binary versions
+BIN_DIR ?= ./bin
+GOLANGCI_VERSION ?= 1.55.2
+
+GOOS ?= $(shell go env GOOS)
+GOARCH ?= $(shell go env GOARCH)
+
+##@ Help Targets
+help:  ## Display this help
+	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_-]+:.*?##/ { printf "  \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[0m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
+
+##@ Test Targets
+.PHONY: test
+test: static ## Run tests
+	@mkdir -p _build/cov
+	go test -covermode=atomic -coverpkg=./... -coverprofile _build/cov/coverage.out ./... -timeout 120m
+
+##@ Static Analysis Targets
+static: fmt lint vet
+fmt: ## Run go fmt against code
+	go fmt ./...
+lint: golangci-lint ## Run golangci-lint
+	$(GOLANGCI_LINT) run
+vet: ## Run go vet against code
+	go vet ./...
+
+## Tools & binaries
+golangci-lint:
+	if ! test -f $(BIN_DIR)/golangci-lint-linux-amd64; then \
+		curl -LOs https://github.com/golangci/golangci-lint/releases/download/v$(GOLANGCI_VERSION)/golangci-lint-$(GOLANGCI_VERSION)-linux-amd64.tar.gz; \
+		tar -zxf golangci-lint-$(GOLANGCI_VERSION)-linux-amd64.tar.gz; \
+		mv golangci-lint-$(GOLANGCI_VERSION)-*/golangci-lint $(BIN_DIR)/golangci-lint-linux-amd64; \
+		chmod +x $(BIN_DIR)/golangci-lint-linux-amd64; \
+		rm -rf ./golangci-lint-$(GOLANGCI_VERSION)-linux-amd64*; \
+	fi
+	if ! test -f $(BIN_DIR)/golangci-lint-$(GOOS)-$(GOARCH); then \
+		curl -LOs https://github.com/golangci/golangci-lint/releases/download/v$(GOLANGCI_VERSION)/golangci-lint-$(GOLANGCI_VERSION)-$(GOOS)-$(GOARCH).tar.gz; \
+		tar -zxf golangci-lint-$(GOLANGCI_VERSION)-$(GOOS)-$(GOARCH).tar.gz; \
+		mv golangci-lint-$(GOLANGCI_VERSION)-*/golangci-lint $(BIN_DIR)/golangci-lint-$(GOOS)-$(GOARCH); \
+		chmod +x $(BIN_DIR)/golangci-lint-$(GOOS)-$(GOARCH); \
+		rm -rf ./golangci-lint-$(GOLANGCI_VERSION)-$(GOOS)-$(GOARCH)*; \
+	fi
+GOLANGCI_LINT=$(BIN_DIR)/golangci-lint-$(GOOS)-$(GOARCH)