Skip to content
Commits on Source (20)
Show whitespace changes
Inline Side-by-side
.gitlab-ci.yml
View file @ 13906bac
# variables in the GitLab CI/CD variables:
# GITLAB_TOKEN to support the semantic-release
# DOCKER_AUTH_CONFIG to support the usage of private docker images as job docker image
# TMPL_RELEASE_ENABLED to enable the semantic-release job
# TBC_NAMESPACE: smartdatalab/public/ci-cd-components
include:
- project: "to-be-continuous/tools/gitlab-ci"
ref: "master"
file: "/templates/extract.yml"
- project: "to-be-continuous/tools/gitlab-ci"
ref: "master"
file: "/templates/validation.yml"
- project: "to-be-continuous/kicker"
ref: "master"
file: "/templates/validation.yml"
- component: $CI_SERVER_FQDN/to-be-continuous/bash/gitlab-ci-bash@3.4
- component: $CI_SERVER_FQDN/$TBC_NAMESPACE/gitlab-ci/extract@master
inputs:
extract-script-job-tags: ["docker"]
- component: $CI_SERVER_FQDN/$TBC_NAMESPACE/gitlab-ci/validation@master
inputs:
check-links-job-tags: ["docker"]
tbc-check-job-tags: ["docker"]
tbc-check-image: cicd-docker-dev.artifact.tecnalia.dev/tbc-check:master
gitlab-ci-lint-job-tags: ["docker"]
- component: $CI_SERVER_FQDN/$TBC_NAMESPACE/kicker/validation@master
inputs:
kicker-validation-job-tags: ["docker"]
schema-base-url: "https://git.code.tecnalia.dev/api/v4/projects/smartdatalab%2Fpublic%2Fci-cd-components%2Fkicker/repository/files"
- component: $CI_SERVER_FQDN/$TBC_NAMESPACE/bash/gitlab-ci-bash@master
inputs:
bash-shellcheck-job-tags: ["docker"]
shellcheck-files: "*.sh"
- component: $CI_SERVER_FQDN/to-be-continuous/semantic-release/gitlab-ci-semrel@3.11
- component: $CI_SERVER_FQDN/$TBC_NAMESPACE/semantic-release/gitlab-ci-semrel@master
inputs:
semantic-release-job-tags: ["docker"]
- component: $CI_SERVER_FQDN/$TBC_NAMESPACE/gitleaks/gitlab-ci-gitleaks@master
inputs:
gitleaks-job-tags: ["docker"]
variables:
GITLAB_CI_FILES: "templates/gitlab-ci-golang.yml"
GIT_STRATEGY: clone
semantic-release:
rules:
......
CHANGELOG.md
View file @ 13906bac
## [4.11.1](https://git.code.tecnalia.dev/smartdatalab/public/ci-cd-components/golang/compare/4.11.0...4.11.1) (2025-01-20)
### Bug Fixes
* semgrep subdir ([0e26288](https://git.code.tecnalia.dev/smartdatalab/public/ci-cd-components/golang/commit/0e26288dd6b27ce3e4b92ab5c21e6a73d1152902))
## [4.11.1](https://gitlab.com/to-be-continuous/golang/compare/4.11.0...4.11.1) (2024-12-06)
### Bug Fixes
* semgrep subdir ([0e26288](https://gitlab.com/to-be-continuous/golang/commit/0e26288dd6b27ce3e4b92ab5c21e6a73d1152902))
# [4.11.0](https://gitlab.com/to-be-continuous/golang/compare/4.10.0...4.11.0) (2024-08-30)
......@@ -10,7 +24,7 @@
### Features
* optional installation of Go tools ([5a78d9d](https://gitlab.com/to-be-continuous/golang/commit/5a78d9d8000b45edf165940eba35b6f196e97bf5))
* optional installation of Go tools ([5a78d9d](https://git.code.tecnalia.dev/smartdatalab/public/ci-cd-components/golang/commit/5a78d9d8000b45edf165940eba35b6f196e97bf5))
## [4.9.2](https://gitlab.com/to-be-continuous/golang/compare/4.9.1...4.9.2) (2024-07-02)
......
README.md
View file @ 13906bac
......@@ -14,7 +14,7 @@ Add the following to your `.gitlab-ci.yml`:
```yaml
include:
# 1: include the component
- component: $CI_SERVER_FQDN/to-be-continuous/golang/gitlab-ci-golang@4.11.0
- component: $CI_SERVER_FQDN/to-be-continuous/golang/gitlab-ci-golang@4.11.1
# 2: set/override component inputs
inputs:
image: "registry.hub.docker.com/library/golang:buster" # ⚠ this is only an example
......@@ -28,7 +28,7 @@ Add the following to your `.gitlab-ci.yml`:
include:
# 1: include the template
- project: 'to-be-continuous/golang'
ref: '4.11.0'
ref: '4.11.1'
file: '/templates/gitlab-ci-golang.yml'
variables:
......@@ -57,6 +57,7 @@ It is disable by default and can be enabled by setting the `GO_GENERATE_MODULES`
| Input / Variable | Description | Default value |
|------------------|------------------------------------------------------------------------------------------------------------|-----------------|
| `generate-modules` / `GO_GENERATE_MODULES` | Space separated list of Go code generator modules (ex: `stringer mockery`) | _none_ (disabled) |
| `go-generate-job-tags` / `GO_GENERATE_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
#### Capture generated files as job artifacts
......@@ -144,13 +145,16 @@ These jobs use the following variable:
| `target-os` / `GO_TARGET_OS` | The `GOOS` target [see available values](https://gist.github.com/asukakenji/f15ba7e588ac42795f421b48b8aede63) | _none_ (fallback to go docker image `GOOS`) |
| `target-arch` / `GO_TARGET_ARCH` | The `GOARCH` target [see available values](https://gist.github.com/asukakenji/f15ba7e588ac42795f421b48b8aede63) | _none_ (fallback to go docker image `GOARCH`) |
| `cobertura-flags` / `GO_COBERTURA_FLAGS` | The `GOFLAGS` to use with `gocover-cobertura` if needed | _none_ |
| `go-build-job-tags` / `GO_BUILD_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
| `go-test-job-tags` / `GO_TEST_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
| `go-build-test-job-tags` / `GO_BUILD_TEST_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
In addition to a textual report in the console, the test jobs produce the following reports, kept for one day:
| Report | Format | Usage |
|-----------------------------------------------------|------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| `$GO_PROJECT_DIR/reports/go-test.native.txt` | native Go test report (text) | N/A |
| `$GO_PROJECT_DIR/reports/go-test.native.json` | native Go test report (json) | [SonarQube integration](https://docs.sonarqube.org/latest/analysis/test-coverage/test-execution-parameters/#header-8) |
| `$GO_PROJECT_DIR/reports/go-test.native.json` | native Go test report (json) | [SonarQube integration](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/test-coverage/test-execution-parameters/#go) |
| `$GO_PROJECT_DIR/reports/go-test.xunit.xml` | [xUnit](https://en.wikipedia.org/wiki/XUnit) test report(s) | [GitLab integration](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportsjunit) |
| `$GO_PROJECT_DIR/reports/go-coverage.native.out` | native Go coverage | N/A |
| `$GO_PROJECT_DIR/reports/go-coverage.cobertura.xml` | [Cobertura XML](https://gcovr.com/en/stable/output/cobertura.html) coverage report | [GitLab integration](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportscoverage_report) |
......@@ -166,13 +170,42 @@ It is bound to the `build` stage, and uses the following variables:
| `ci-lint-image` / `GO_CI_LINT_IMAGE` | The Docker image used to run `golangci-lint` | `registry.hub.docker.com/golangci/golangci-lint:latest-alpine` |
| `ci-lint-args` / `GO_CI_LINT_ARGS` | `golangci-lint` [command line arguments](https://github.com/golangci/golangci-lint#command-line-options) | `-E gosec,goimports ./...` |
| `ci-lint-disabled` / `GO_CI_LINT_DISABLED` | Set to `true` to disable this job | _none_ (enabled) |
| `go-ci-lint-job-tags` / `GO_CI_LINT_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
In addition to a textual report in the console, this job produces the following reports, kept for one day:
| Report | Format | Usage |
|-------------------------------------------------------|----------------------------------------------------------|-------------------------------------------------------------------------------------------------------------|
| `$GO_PROJECT_DIR/reports/go-ci-lint.codeclimate.json` | [Code Climate](https://docs.codeclimate.com/docs/pylint) | [GitLab integration](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportscodequality) |
| `$GO_PROJECT_DIR/reports/go-ci-lint.checkstyle.xml` | Checkstyle | [SonarQube integration](https://docs.sonarqube.org/latest/analysis/external-issues/) |
| `$GO_PROJECT_DIR/reports/go-ci-lint.checkstyle.xml` | Checkstyle | [SonarQube integration](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/importing-external-issues/external-analyzer-reports/) |
### `go-semgrep` job
This job performs a [Semgrep](https://semgrep.dev/docs/) analysis.
It is bound to the `test` stage, and uses the following variables:
| Input / Variable | Description | Default Value |
| ---------------- | ----------- | ------------- |
| `semgrep-disabled` / `GO_SEMGREP_DISABLED` | Set to `true` to disable this job | _none_ |
| `semgrep-image` / `GO_SEMGREP_IMAGE` | The Docker image used to run [Semgrep](https://semgrep.dev/docs/) | `registry.hub.docker.com/semgrep/semgrep:latest` |
| `semgrep-args` / `GO_SEMGREP_ARGS` | Semgrep [scan options](https://semgrep.dev/docs/cli-reference#semgrep-scan-command-options) | `--metrics off --disable-version-check` |
| `semgrep-rules` / `GO_SEMGREP_RULES` | Space-separated list of [Semgrep rules](https://semgrep.dev/docs/running-rules).<br/>Can be both local YAML files or remote rules from the [Segmrep Registry](https://semgrep.dev/explore) (denoted by the `p/` prefix). | `p/golang p/gosec` |
| `semgrep-download-rules-enabled` / `GO_SEMGREP_DOWNLOAD_RULES_ENABLED` | Download Semgrep remote rules | `true` |
> :information_source: Semgrep may [collect some metrics](https://semgrep.dev/docs/metrics), especially when using rules from the Semgrep Registry.
> To protect your privacy and let you run Semgrep in air-gap environments, this template disables all Semgrep metrics by default:
>
> * rules from the Semgrep registry are pre-downloaded and passed to Semgrep as local rule files (can be disabled by setting `semgrep-download-rules-enabled` / `GO_SEMGREP_DOWNLOAD_RULES_ENABLED` to `false`),
> * the `--metrics` option is set to `off`,
> * the `--disable-version-check` option is set.
In addition to a textual report in the console, this job produces the following reports, kept for one week:
| Report | Format | Usage |
| ------ | ------ | ----- |
| `$GO_PROJECT_DIR/reports/golang-semgrep.gitlab.json` | [GitLab's SAST format](https://semgrep.dev/docs/cli-reference#semgrep-scan-command-options) | [GitLab integration](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportssast) |
| `$GO_PROJECT_DIR/reports/golang-semgrep.native.json` | [Semgrep's JSON format](https://semgrep.dev/docs/cli-reference#semgrep-scan-command-options) | [DefectDojo integration](https://docs.defectdojo.com/en/connecting_your_tools/parsers/file/semgrep/)<br/>_This report is generated only if DefectDojo template is detected_ |
### `go-mod-outdated` job
......@@ -183,6 +216,7 @@ It is bound to the `test` stage, and uses the following variables:
| Input / Variable | Description | Default value |
|------------------------|-----------------------------------------------------------------------------------------------|-------------------|
| `mod-outdated-args` / `GO_MOD_OUTDATED_ARGS` | `god-mod-outdated` [command line arguments](https://github.com/psampaz/go-mod-outdated#usage) | `-update -direct` |
| `go-mod-outdated-job-tags` / `GO_MOD_OUTDATED_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
Checking outdated modules can be a long operation and therefore the job is configured to be ran **manually** by default (overridable).
......@@ -191,7 +225,7 @@ Checking outdated modules can be a long operation and therefore the job is confi
If you're using the SonarQube template to analyse your Go code, here is a sample `sonar-project.properties` file:
```properties
# see: https://docs.sonarqube.org/latest/analyzing-source-code/test-coverage/test-execution-parameters/#go
# see: https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/test-coverage/test-execution-parameters/#go
# set your source directory(ies) here (relative to the sonar-project.properties file)
sonar.sources=.
# exclude unwanted directories and files from being analysed
......@@ -212,9 +246,9 @@ sonar.go.golangci-lint.reportPaths=reports/go-ci-lint.checkstyle.xml
More info:
* [Go language support](https://docs.sonarqube.org/latest/analyzing-source-code/test-coverage/test-execution-parameters/#go)
* [test coverage & execution parameters](https://docs.sonarqube.org/latest/analysis/coverage/)
* [third-party issues](https://docs.sonarqube.org/latest/analysis/external-issues/)
* [Go language support](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/test-coverage/test-execution-parameters/#go)
* [test coverage](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/test-coverage/test-coverage-parameters/) & [test execution](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/test-coverage/test-execution-parameters/) parameters
* [external analyzer reports](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/importing-external-issues/external-analyzer-reports/)
:warning: an [unsolved issue](https://jira.sonarsource.com/browse/SONARSLANG-450) may prevent SonarQube Go plugin from
importing your test reports.
......@@ -230,6 +264,7 @@ It is bound to the `test` stage, and uses the following variables:
| `sbom-disabled` / `GO_SBOM_DISABLED` | Set to `true` to disable this job | _none_ |
| `sbom-image` / `GO_SBOM_IMAGE` | Image of cyclonedx-gomod used for SBOM analysis | `registry.hub.docker.com/cyclonedx/cyclonedx-gomod:latest` |
| `sbom-opts` / `GO_SBOM_OPTS` | [@cyclonedx/cyclonedx-gomod options](https://github.com/CycloneDX/cyclonedx-gomod#usage) used for SBOM analysis | `-main .` |
| `go-sbom-job-tags` / `GO_SBOM_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
:warning: if you don't have your main class located at the root of your `GO_PROJECT_DIR`, then you will need to override the `-main` option in `GO_SBOM_OPTS` and define your real main class location.
......@@ -250,3 +285,4 @@ It is bound to the `test` stage, and uses the following variables:
| --------------------- | -------------------------------------- | ----------------- |
| `vulncheck-disabled` / `GO_VULNCHECK_DISABLED` | Set to `true` to disable this job | _none_
| `vulncheck-args` / `GO_VULNCHECK_ARGS` | `govulncheck` [command line arguments](https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck#hdr-Flags) | `./...` |
| `go-govulncheck-job-tags` / `GO_GOVULNCHECK_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
bumpversion.sh
View file @ 13906bac
......@@ -27,7 +27,7 @@ if [[ "$curVer" ]]; then
log_info "Bump version from \\e[33;1m${curVer}\\e[0m to \\e[33;1m${nextVer}\\e[0m (release type: $relType)..."
# replace in README
sed -e "s/ref: *'$curVer'/ref: '$nextVer'/" -e "s/ref: *\"$curVer\/ref: \$nextVer\/" -e "s/component: *\(.*\)@$curVer/component: \1@$nextVer/" README.md > README.md.next
sed -e "s/ref: *'$curVer'/ref: '$nextVer'/" -e "s/ref: *\"$curVer\"/ref: \"$nextVer\"/" -e "s/component: *\(.*\)@$curVer/component: \1@$nextVer/" README.md > README.md.next
mv -f README.md.next README.md
# replace in template and variants
......
kicker.json
View file @ 13906bac
......@@ -87,6 +87,27 @@
"name": "GO_COBERTURA_FLAGS",
"description": "Build flags to add to use gocover-cobertura, leave blank if not needed",
"advanced": true
},
{
"name": "GO_GO_BUILD_JOB_TAGS",
"description": "Tags to be used for selecting runners for the job",
"type": "array",
"default": [],
"advanced": true
},
{
"name": "GO_GO_TEST_JOB_TAGS",
"description": "Tags to be used for selecting runners for the job",
"type": "array",
"default": [],
"advanced": true
},
{
"name": "GO_GO_BUILD_TEST_JOB_TAGS",
"description": "Tags to be used for selecting runners for the job",
"type": "array",
"default": [],
"advanced": true
}
],
"features": [
......@@ -99,6 +120,13 @@
"name": "GO_GENERATE_MODULES",
"description": "Space separated list of Go code generator modules (ex: `stringer mockery`)",
"mandatory": true
},
{
"name": "GO_GO_GENERATE_JOB_TAGS",
"description": "Tags to be used for selecting runners for the job",
"type": "array",
"default": [],
"advanced": true
}
]
},
......@@ -118,6 +146,13 @@
"description": "`golangci-lint` [command line arguments](https://github.com/golangci/golangci-lint#command-line-options)",
"default": "-E gosec,goimports ./...",
"advanced": true
},
{
"name": "GO_GO_CI_LINT_JOB_TAGS",
"description": "Tags to be used for selecting runners for the job",
"type": "array",
"default": [],
"advanced": true
}
]
},
......@@ -131,6 +166,13 @@
"description": "`god-mod-outdated` [command line arguments](https://github.com/psampaz/go-mod-outdated#usage",
"default": "-update -direct",
"advanced": true
},
{
"name": "GO_GO_MOD_OUTDATED_JOB_TAGS",
"description": "Tags to be used for selecting runners for the job",
"type": "array",
"default": [],
"advanced": true
}
]
},
......@@ -149,6 +191,42 @@
"description": "[@cyclonedx/cyclonedx-gomod options](https://github.com/CycloneDX/cyclonedx-gomod#usage) used for SBOM analysis",
"default": "-main .",
"advanced": true
},
{
"name": "GO_GO_SBOM_JOB_TAGS",
"description": "Tags to be used for selecting runners for the job",
"type": "array",
"default": [],
"advanced": true
}
]
},
{
"id": "go-semgrep",
"name": "Semgrep",
"description": "[Semgrep](https://semgrep.dev/docs/) analysis",
"disable_with": "GO_SEMGREP_DISABLED",
"variables": [
{
"name": "GO_SEMGREP_IMAGE",
"description": "The Docker image used to run [Semgrep](https://semgrep.dev/docs/)",
"default": "registry.hub.docker.com/semgrep/semgrep:latest"
},
{
"name": "GO_SEMGREP_ARGS",
"description": "Semgrep [scan options](https://semgrep.dev/docs/cli-reference#semgrep-scan-command-options)",
"default": "--metrics off --disable-version-check"
},
{
"name": "GO_SEMGREP_RULES",
"description": "Space-separated list of [Semgrep rules](https://semgrep.dev/docs/running-rules).\n\nCan be both local YAML files or remote rules from the [Semgrep Registry](https://semgrep.dev/explore) (denoted by the `p/` prefix)",
"default": "p/golang p/gosec"
},
{
"name": "GO_SEMGREP_DOWNLOAD_RULES_ENABLED",
"description": "Download Semgrep remote rules",
"type": "boolean",
"default": "true"
}
]
},
......@@ -163,6 +241,13 @@
"description": "`govulncheck` [command line arguments](https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck#hdr-Flags)",
"default": "./...",
"advanced": true
},
{
"name": "GO_GO_GOVULNCHECK_JOB_TAGS",
"description": "Tags to be used for selecting runners for the job",
"type": "array",
"default": [],
"advanced": true
}
]
}
......
templates/gitlab-ci-golang.yml
View file @ 13906bac
......@@ -81,6 +81,26 @@ spec:
ci-lint-args:
description: '`golangci-lint` [command line arguments](https://github.com/golangci/golangci-lint#command-line-options)'
default: -E gosec,goimports ./...
semgrep-image:
description: The Docker image used to run [Semgrep](https://semgrep.dev/docs/)
default: registry.hub.docker.com/semgrep/semgrep:latest
semgrep-disabled:
description: Disable Semgrep
type: boolean
default: false
semgrep-args:
description: Semgrep [scan options](https://semgrep.dev/docs/cli-reference#semgrep-scan-command-options)
default: --metrics off --disable-version-check
semgrep-rules:
description: |-
Space-separeted list of [Semgrep rules](https://semgrep.dev/docs/running-rules).
Can be both local YAML files or remote rules from the [Semgrep Registry](https://semgrep.dev/explore) (denoted by the `p/` prefix)
default: p/golang p/gosec
semgrep-download-rules-enabled:
description: Download Semgrep remote rules
type: boolean
default: true
mod-outdated-args:
description: '`god-mod-outdated` [command line arguments](https://github.com/psampaz/go-mod-outdated#usage'
default: -update -direct
......@@ -100,6 +120,39 @@ spec:
vulncheck-args:
description: '`govulncheck` [command line arguments](https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck#hdr-Flags)'
default: ./...
go-generate-job-tags:
description: tags to filter applicable runners for go-generate job
type: array
default: []
go-build-job-tags:
description: tags to filter applicable runners for go-build job
type: array
default: []
go-test-job-tags:
description: tags to filter applicable runners for go-test job
type: array
default: []
go-build-test-job-tags:
description: tags to filter applicable runners for go-build-test job
type: array
default: []
go-ci-lint-job-tags:
description: tags to filter applicable runners for go-ci-lint job
type: array
default: []
go-mod-outdated-job-tags:
description: tags to filter applicable runners for go-mod-outdated job
type: array
default: []
go-sbom-job-tags:
description: tags to filter applicable runners for go-sbom job
type: array
default: []
go-govulncheck-job-tags:
description: tags to filter applicable runners for go-govulncheck job
type: array
default: []
---
workflow:
rules:
......@@ -196,6 +249,11 @@ variables:
GO_CI_LINT_DISABLED: $[[ inputs.ci-lint-disabled ]]
GO_SBOM_DISABLED: $[[ inputs.sbom-disabled ]]
GO_VULNCHECK_DISABLED: $[[ inputs.vulncheck-disabled ]]
GO_SEMGREP_IMAGE: $[[ inputs.semgrep-image ]]
GO_SEMGREP_DISABLED: $[[ inputs.semgrep-disabled ]]
GO_SEMGREP_ARGS: $[[ inputs.semgrep-args ]]
GO_SEMGREP_RULES: $[[ inputs.semgrep-rules ]]
GO_SEMGREP_DOWNLOAD_RULES_ENABLED: $[[ inputs.semgrep-download-rules-enabled ]]
# Image of cyclonedx-gomod used for SBOM analysis
GO_SBOM_IMAGE: $[[ inputs.sbom-image ]]
......@@ -534,6 +592,31 @@ stages:
fi
}
function setup_semgrep_rules() {
if [[ "${GO_SEMGREP_DOWNLOAD_RULES_ENABLED}" == "true" ]]
then
log_info "Download Semgrep rule files..."
for rule in $GO_SEMGREP_RULES
do
if [[ -r $rule ]]
then
log_info "... rule file $rule found: skip"
SEMGREP_RULES="${SEMGREP_RULES} $rule"
else
log_info "... rule file $rule not found : download (https://semgrep.dev/c/$rule)"
dest_file="semgrep-${rule/p\//}.yml"
wget "https://semgrep.dev/c/$rule" -O "$dest_file"
SEMGREP_RULES="${SEMGREP_RULES} $dest_file"
fi
done
SEMGREP_RULES="${SEMGREP_RULES:1}"
export SEMGREP_RULES
else
# download not enabled: simply use $GO_SEMGREP_RULES
export SEMGREP_RULES="${GO_SEMGREP_RULES}"
fi
}
unscope_variables
eval_all_secrets
......@@ -545,7 +628,7 @@ stages:
image: $GO_IMAGE
services:
- name: "$TBC_TRACKING_IMAGE"
command: ["--service", "golang", "4.11.0"]
command: ["--service", "golang", "4.11.1"]
variables:
# The directory where 'go install' will install a command.
GOBIN: "$CI_PROJECT_DIR/$GO_PROJECT_DIR/bin"
......@@ -585,6 +668,7 @@ go-generate:
- "${GO_PROJECT_DIR}/**/mock/"
- "${GO_PROJECT_DIR}/**/mocks/"
- "${GO_PROJECT_DIR}/**/*mock*.go"
tags: $[[ inputs.go-generate-job-tags ]]
go-build:
extends: .go-base
......@@ -598,7 +682,8 @@ go-build:
- $GO_PROJECT_DIR/bin/
rules:
# if $GO_TEST_IMAGE set
- if: '$GO_TEST_IMAGE != ""'
- if: '$GO_TEST_IMAGE'
tags: $[[ inputs.go-build-job-tags ]]
go-test:
extends: .go-base
......@@ -625,6 +710,7 @@ go-test:
- if: '$GO_TEST_IMAGE == ""'
when: never
- !reference [.test-policy, rules]
tags: $[[ inputs.go-test-job-tags ]]
go-build-test:
extends: .go-base
......@@ -651,6 +737,7 @@ go-build-test:
rules:
# if $GO_TEST_IMAGE not set
- if: '$GO_TEST_IMAGE == ""'
tags: $[[ inputs.go-build-test-job-tags ]]
go-ci-lint:
extends: .go-base
......@@ -674,6 +761,38 @@ go-ci-lint:
- if: '$GO_CI_LINT_DISABLED == "true"'
when: never
- !reference [.test-policy, rules]
tags: $[[ inputs.go-ci-lint-job-tags ]]
# SAST: semgrep
go-semgrep:
extends: .go-base
image: $GO_SEMGREP_IMAGE
# unset cache from parent job
cache : {}
dependencies: []
stage: test
before_script:
- !reference [.go-scripts]
- mkdir -p -m 777 ${GO_PROJECT_DIR}/reports
- setup_semgrep_rules
script:
- >-
semgrep ci ${TRACE+--verbose} ${GO_SEMGREP_ARGS} --subdir ${GO_PROJECT_DIR}
--gitlab-sast-output=${GO_PROJECT_DIR}/reports/golang-semgrep.gitlab.json
${DEFECTDOJO_SEMGREP_REPORTS:+--json-output=${GO_PROJECT_DIR}/reports/golang-semgrep.native.json}
artifacts:
name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $ĈI_COMMIT_REF_SLUG"
when: "always"
expire_in: 1 week
reports:
sast: $GO_PROJECT_DIR/reports/golang-semgrep.gitlab.json
paths:
- $GO_PROJECT_DIR/reports/golang-semgrep.*
rules:
# exclude if disable
- if: '$GO_SEMGREP_DISABLED == "true"'
when: never
- !reference [.test-policy, rules]
go-mod-outdated:
extends: .go-base
......@@ -702,6 +821,7 @@ go-mod-outdated:
# else manual & non-blocking
- when: manual
allow_failure: true
tags: $[[ inputs.go-mod-outdated-job-tags ]]
go-sbom:
extends: .go-base
......@@ -738,6 +858,7 @@ go-sbom:
- if: '$GO_SBOM_DISABLED == "true"'
when: never
- !reference [.test-policy, rules]
tags: $[[ inputs.go-sbom-job-tags ]]
go-govulncheck:
extends: .go-base
......@@ -752,3 +873,4 @@ go-govulncheck:
- if: '$GO_VULNCHECK_DISABLED == "true"'
when: never
- !reference [.test-policy, rules]
tags: $[[ inputs.go-govulncheck-job-tags ]]