Enable security linting in OCM repositories #270
Description
Description
Enable an appropriate security linter, such as Gosec for Golang projects, to perform static security scans during the build process.
Why is this necessary?
With the donation of the OCM open source project to the Linux foundation we should even more stick to OpenSSF best practices. SAST scans with appropriate linters is a requirement in the context of the OpenSSF/CII badge.
Effect
Integrating a security linter into our GitHub repositories' build process is a crucial move towards the shift-left approach. This integration will enhance the quality of our components by identifying and rectifying potential security issues early in the development cycle. Moreover, it will streamline the assessment process, reducing the time and effort required.
Example from the Gardener Project:
-
Introduction of gosec linter (please do not blindly copy-paste rule-silencings):
Introducegosecfor Static Application Security Testing (SAST) gardener/gardener#9959 -
Add linting-logs to OCM-Component-Descriptor (required for reporting / auditing purposes):
gardener/gardener@83296bc -
Disable CX-Scans (required until CX-phase-out):
gardener/gardener@5a8a0a5
The last two changes affect branch.cfg (refs/meta/ci - hence not via pullrequest)
Done Criteria
- Code has been reviewed by other team members
- Internal technical Documentation created/updated
- New / changed code is documented
- Analysis of existing tests (Unit and Integration)
- Unit Tests created for new code or existing Unit Tests updated
- Integration Test Suite updated (includes deletion of existing unnecessary Integration Test and/or creation of new ones if required)
- Enduser Documentation updated (if applicable)
- Successful demonstration in Review
Sub-issues
Metadata
Metadata
Labels
Type
Projects
Status