bulwark-gosec.yaml

name: BulwarkGoSec

on:
  pull_request:
  workflow_dispatch:

concurrency:
  group: gosec-${{ github.ref }}
  cancel-in-progress: true

jobs:
  gosec-pr-scan:
    runs-on: [self-hosted, Linux, X64, validator]
    container:
      image: gcr.io/spectro-dev-public/bulwark/gosec:latest
      env:
        REPO: ${{ github.event.repository.name }}
    steps:
      - name: checkout
        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4

      - name: Set up Go
        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5
        with:
          cache: false
          go-version-file: go.mod

      - name: run-gosec-scan
        shell: sh
        env:
          BRANCH: ${{ github.head_ref || github.ref_name }}
          GO111MODULE: on
        run: /workspace/bulwark -name CodeSASTGoSec -verbose -organization validator-labs -target $REPO -tags "branch:$BRANCH"

      - name: check-result
        shell: sh
        run: |
          resultPath=$REPO-result.json
          issues=$(cat $resultPath | jq -r '.Stats.found')
          echo "Found ${issues} issues"
          echo "Issues by Rule ID"
          jq -r '.Issues | group_by (.rule_id)[] | {rule: .[0].rule_id, count: length}' $resultPath
          if [ "$issues" -gt 0 ]; then
            echo "GoSec SAST scan failed with below findings..."
            cat $resultPath
            exit 1
          else 
            echo "GoSec SAST scan passed"
          fi