Use this action to perform static application security testing (SAST) on Go repositories with the open-source Golang Security Checker (Gosec). Gosec inspects Go code for security problems by scanning the AST and SSA code representation. You can also use the action output as a quality gate for the next step or job in your workflow.
| Input name | Data type | Required? | Description |
|---|---|---|---|
|
String |
No |
The ref of the code to be scanned. |
|
String |
No |
The path of the code to be scanned. |
| Output name | Data type | Description |
|---|---|---|
|
String |
The number of Critical security findings discovered during the scan. |
|
String |
The number of Very high security findings discovered during the scan. |
|
String |
The number of High security findings discovered during the scan. |
|
String |
The number of Medium security findings discovered during the scan. |
|
String |
The number of Low security findings discovered during the scan. |
The following is a basic example of using the action:
- name: Scan with Gosec
uses: cloudbees-io/gosec-plugin@v1Access the output values in downstream steps and jobs using the outputs context.
Use the output in your workflow as follows, where <action_step_ID> is the action step ID, and <severity> is an output parameter name, such as critical-count:
${{steps.<action_step_ID>.outputs.<severity>}}The following example uses the action output in a downstream step of the same job:
name: my-workflow
kind: workflow
apiVersion: automation.cloudbees.io/v1alpha1
on:
push:
branches:
- main
permissions:
scm-token-own: read
scm-token-org: read
id-token: write
jobs:
gosec-scan-job:
steps:
- name: check out source code
uses: cloudbees-io/checkout@v1
- id: gosec-step
name: gosec scan
uses: cloudbees-io/gosec-plugin@v1
- name: source dir examine
uses: docker://golang:1.20.3-alpine3.17
shell: sh
run: |
ls -latR /cloudbees/workspace
- id: print-outputs-from-gosec-step
name: print outputs from upstream gosec step
uses: docker://alpine:latest
run: |
#printing all outputs
echo "Outputs from upstream gosec step:"
echo "Critical count: ${{steps.gosec-step.outputs.critical-count}}"
echo "Very high count: ${{steps.gosec-step.outputs.very-high-count}}"
echo "High count: ${{steps.gosec-step.outputs.high-count}}"
echo "Medium count: ${{steps.gosec-step.outputs.medium-count}}"
echo "Low count: ${{steps.gosec-step.outputs.low-count}}"The following example uses the action output in a downstream job:
name: my-workflow
kind: workflow
apiVersion: automation.cloudbees.io/v1alpha1
on:
push:
branches:
- main
permissions:
scm-token-own: read
scm-token-org: read
id-token: write
jobs:
job1:
outputs:
gosec-job-output-critical: ${{ steps.gosec-step.outputs.critical-count }}
gosec-job-output-very-high: ${{ steps.gosec-step.outputs.very-high-count }}
gosec-job-output-high: ${{ steps.gosec-step.outputs.high-count }}
gosec-job-output-medium: ${{ steps.gosec-step.outputs.medium-count }}
gosec-job-output-low: ${{ steps.gosec-step.outputs.low-count }}
steps:
- name: check out source code
uses: cloudbees-io/checkout@v1
with:
repository: my-gh-repo-org/my-repo
ref: main
token: ${{ secrets.GIT_PAT }}
- id: gosec-step
name: gosec scan
uses: cloudbees-io/gosec-plugin@v1
job2:
needs: job1
steps:
- id: print-outputs-from-job1
name: print outputs from upstream job1
uses: docker://alpine:latest
run: |
# Printing all outputs
echo "Outputs from upstream gosec job:"
echo "Critical count: ${{ needs.job1.outputs.gosec-job-output-critical }}"
echo "Very high count: ${{ needs.job1.outputs.gosec-job-output-very-high }}"
echo "High count: ${{ needs.job1.outputs.gosec-job-output-high }}"
echo "Medium count: ${{ needs.job1.outputs.gosec-job-output-medium }}"
echo "Low count: ${{ needs.job1.outputs.gosec-job-output-low }}"This code is made available under the MIT license.
-
Learn more about using actions in CloudBees workflows.
-
Learn about CloudBees platform.