| copyright | lastupdated | keywords | subcollection | ||
|---|---|---|---|---|---|
|
2024-10-09 |
DevSecOps, gosec, IBM Cloud |
devsecops |
{{site.data.keyword.attribute-definition-list}}
{: #devsecops-gosec}
Use gosec{: external} to inspect Golang source code in your scanned repositories.
{: #devsecops-gosec-parms}
The pipeline needs the parameter in Table 1 to run the Gosec scan. For a full list of pipeline parameters, see Pipeline parameters.
| Name | Type | Description | Required or Optional |
|---|---|---|---|
opt-in-gosec |
text | Enables gosec scans | Required |
| {: caption="gosec scan parameters" caption-side="top"} |
{: #devsecops-gosec-private-repos}
If your project requires dependencies that are located in a private Git repository and therefore needs SSH-based authentication, you can enable the pipeline to retrieve the dependencies by providing optional parameters. For more information, see Enable download of dependencies for private repositories.
If a proxy must be specified for retrieving dependencies, you can specify its URL along with the credentials (username and token) by using pipeline parameters. For more information, see Enable GOPROXY.
{: #devsecops-gosec-enable-download}
Downloading dependencies for repositories can be enabled by providing all of the following pipeline parameters.
| Name | Type | Description | Required or optional |
|---|---|---|---|
gosec-private-repository-url |
text | (deprecated) Your private repository base URL. | optional |
gosec-private-repository-host |
text | Your private repository host. For example, github.ibm.com |
optional |
gosec-private-repository-ssh-key |
secret | The SSH key for the private repository | optional |
gosec-private-repository-user |
text | User for the private repository with https access (default to x-oauth-basic) |
optional |
gosec-private-repository-token |
secret | The token used for https access to private repository (default to the token configured for the first git integration in the toolchain whose repository URL is hosted on gosec-private-repository-host's value) |
optional |
| {: caption="pipeline parameters" caption-side="top"} |
{: #devsecops-gosec-enable-goproxy}
If GOPROXY must be specified, all of the following parameters must be provided.
| Name | Type | Description | Required or optional |
|---|---|---|---|
gosec-proxy-virtual-repository-user |
text | The virtual repository user for gosec proxy | optional |
gosec-proxy-virtual-repository-token |
secret | The virtual repository token for gosec proxy | optional |
gosec-proxy-virtual-repository-url |
text | The virtual repository url for gosec proxy | optional |
| {: caption="GOPROXY parameters" caption-side="top"} |
{: #devsecops-gosec-params-opt}
The gosec-scan-image parameter can be used to specify a different gosec image to use, such as a custom image or a specific version of the official gosec image.
Usage of the gosec-additional-flags flag is shown in the examples section below
| Parameter name | Default value | Description |
|---|---|---|
gosec-additional-flags |
text | Additional flags to be appended to the start of the gosec command. |
gosec-scan-image |
text | Specifies an alternative gosec image, including custom images or specific versions of the official image. |
| {: caption="gosec optional parameters" caption-side="top"} |
{: #devsecops-gosec-examples}
Define the value of gosec-additional-flags as -exclude-dir=<your_folder_1> -exclude-dir=<your_folder_2> -nosec=true and the gosec command run is updated as:
./gosec -exclude-dir=<your_folder_1> -exclude-dir=<your_folder_2> -nosec=true -no-fail -fmt=json -out=gosec-results.json -stdout -verbose=text ./...{: codeblock}
{: #devsecops-gosec-config-file}
If you want to modify the default configuration, create a config.json file in the target repository.
For more information on the analysis parameters in the configuration file, see gosec configuration{: external}.
{: #devsecops-gosec-otherscan}
If you want to use your own static scan implementation, modify your .pipeline-config.yaml file and add your own custom script to the static-scan stage. For more information, see Custom scripts.