Github Action Doesnt Work

[dcaponi]

Summary

Adding gosec to a github action per the recommendation in the readme does not work.

Steps to reproduce the behavior

on: [push, pull_request]
name: Test
jobs:
  test:
    strategy:
      matrix:
        go-version: [1.13.x, 1.14.x]
        platform: [ubuntu-latest, macos-latest, windows-latest]
    runs-on: ${{ matrix.platform }}
    env:
      GO111MODULE: on
    steps:
    - name: Install Go
      uses: actions/setup-go@v1
      with:
        go-version: ${{ matrix.go-version }}
    - name: Checkout code
      uses: actions/checkout@v2
    - name: Format It!
      run: go fmt ./...
    - name: Vet It!
      run: go vet ./...
    - name: Secure It!
      uses: securego/gosec@master
      with:
        args: ./...
    - name: Test
      run: go test ./...

Add the github action above to a Go program.
Trigger the action

gosec version

2.2.0

Go version (output of 'go version')

1.13 / 1.14

Operating system / Environment

ubuntu, windows, macos

Expected behavior

gosec runs and shows me security flaws

Actual behavior

Run securego/gosec@master
/usr/bin/docker run --name securegogosec_fea4c0 --label c27d31 --workdir /github/workspace --rm -e GO111MODULE -e GOROOT -e INPUT_ARGS -e HOME -e GITHUB_JOB -e GITHUB_REF -e GITHUB_SHA -e GITHUB_REPOSITORY -e GITHUB_REPOSITORY_OWNER -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_ACTOR -e GITHUB_WORKFLOW -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GITHUB_EVENT_NAME -e GITHUB_WORKSPACE -e GITHUB_ACTION -e GITHUB_EVENT_PATH -e RUNNER_OS -e RUNNER_TOOL_CACHE -e RUNNER_TEMP -e RUNNER_WORKSPACE -e ACTIONS_RUNTIME_URL -e ACTIONS_RUNTIME_TOKEN -e ACTIONS_CACHE_URL -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/onelogin-go-sdk/onelogin-go-sdk":"/github/workspace" securego/gosec  "./..."
[gosec] 2020/04/29 23:19:42 Including rules: default
[gosec] 2020/04/29 23:19:42 Excluding rules: default
[gosec] 2020/04/29 23:19:42 Import directory: /github/workspace/pkg/oltypes
[gosec] 2020/04/29 23:19:42 Import directory: /github/workspace/internal/customerrors
[gosec] 2020/04/29 23:19:42 Import directory: /github/workspace/internal/services
[gosec] 2020/04/29 23:19:42 Import directory: /github/workspace/pkg/client
[gosec] 2020/04/29 23:19:42 Import directory: /github/workspace/pkg/models
Results:

Golang errors in file: [internal/customerrors]:

[ccojocar]

@dcaponi Thanks for reporting this issue. Does it work when you run the gosec locally against your project?

Just looking at the output you posted above, it seems that there are some go errors in the file mentioned above. The gosec binary was executed by the action since there is some output returned by the tool.

You can find an example in this project https://github.com/ccojocar/go-with-github-workflow/blob/88282398fe981066bdf2e4dda7385d495f846032/.github/workflows/ci.yml#L25 which works for me.

[dcaponi]

Hey @ccojocar thanks for the reply! The reason I brought it up was because it does work locally

From the root of my project on my local:

gosec ./...
[gosec] 2020/04/30 07:57:13 Including rules: default
[gosec] 2020/04/30 07:57:13 Excluding rules: default
[gosec] 2020/04/30 07:57:13 Import directory: /Users/dominickcaponi/go/src/github.com/onelogin/onelogin-go-sdk/internal/customerrors
[gosec] 2020/04/30 07:57:14 Checking package: customerrors
[gosec] 2020/04/30 07:57:14 Checking file: /Users/dominickcaponi/go/src/github.com/onelogin/onelogin-go-sdk/internal/customerrors/oneloginerror.go
[gosec] 2020/04/30 07:57:14 Checking file: /Users/dominickcaponi/go/src/github.com/onelogin/onelogin-go-sdk/internal/customerrors/requesterror.go
[gosec] 2020/04/30 07:57:14 Import directory: /Users/dominickcaponi/go/src/github.com/onelogin/onelogin-go-sdk/internal/services
[gosec] 2020/04/30 07:57:14 Checking package: services
[gosec] 2020/04/30 07:57:14 Checking file: /Users/dominickcaponi/go/src/github.com/onelogin/onelogin-go-sdk/internal/services/apps.go
[gosec] 2020/04/30 07:57:14 Checking file: /Users/dominickcaponi/go/src/github.com/onelogin/onelogin-go-sdk/internal/services/auth.go
[gosec] 2020/04/30 07:57:14 Checking file: /Users/dominickcaponi/go/src/github.com/onelogin/onelogin-go-sdk/internal/services/errors.go
[gosec] 2020/04/30 07:57:14 Checking file: /Users/dominickcaponi/go/src/github.com/onelogin/onelogin-go-sdk/internal/services/olrequest.go
[gosec] 2020/04/30 07:57:14 Checking file: /Users/dominickcaponi/go/src/github.com/onelogin/onelogin-go-sdk/internal/services/session_login_tokens.go
[gosec] 2020/04/30 07:57:14 Import directory: /Users/dominickcaponi/go/src/github.com/onelogin/onelogin-go-sdk/pkg/client
[gosec] 2020/04/30 07:57:14 Checking package: client
[gosec] 2020/04/30 07:57:14 Checking file: /Users/dominickcaponi/go/src/github.com/onelogin/onelogin-go-sdk/pkg/client/client.go
[gosec] 2020/04/30 07:57:14 Checking file: /Users/dominickcaponi/go/src/github.com/onelogin/onelogin-go-sdk/pkg/client/client_config.go
[gosec] 2020/04/30 07:57:14 Import directory: /Users/dominickcaponi/go/src/github.com/onelogin/onelogin-go-sdk/pkg/models
[gosec] 2020/04/30 07:57:15 Checking package: models
[gosec] 2020/04/30 07:57:15 Checking file: /Users/dominickcaponi/go/src/github.com/onelogin/onelogin-go-sdk/pkg/models/app.go
[gosec] 2020/04/30 07:57:15 Checking file: /Users/dominickcaponi/go/src/github.com/onelogin/onelogin-go-sdk/pkg/models/app_configuration.go
[gosec] 2020/04/30 07:57:15 Checking file: /Users/dominickcaponi/go/src/github.com/onelogin/onelogin-go-sdk/pkg/models/app_parameters.go
[gosec] 2020/04/30 07:57:15 Checking file: /Users/dominickcaponi/go/src/github.com/onelogin/onelogin-go-sdk/pkg/models/app_provisioning.go
[gosec] 2020/04/30 07:57:15 Checking file: /Users/dominickcaponi/go/src/github.com/onelogin/onelogin-go-sdk/pkg/models/app_sso.go
[gosec] 2020/04/30 07:57:15 Checking file: /Users/dominickcaponi/go/src/github.com/onelogin/onelogin-go-sdk/pkg/models/app_sso_certificate.go
[gosec] 2020/04/30 07:57:15 Checking file: /Users/dominickcaponi/go/src/github.com/onelogin/onelogin-go-sdk/pkg/models/auth.go
[gosec] 2020/04/30 07:57:15 Checking file: /Users/dominickcaponi/go/src/github.com/onelogin/onelogin-go-sdk/pkg/models/session_login_token.go
[gosec] 2020/04/30 07:57:15 Checking file: /Users/dominickcaponi/go/src/github.com/onelogin/onelogin-go-sdk/pkg/models/session_login_token_request.go
[gosec] 2020/04/30 07:57:15 Import directory: /Users/dominickcaponi/go/src/github.com/onelogin/onelogin-go-sdk/pkg/oltypes
[gosec] 2020/04/30 07:57:15 Checking package: oltypes
[gosec] 2020/04/30 07:57:15 Checking file: /Users/dominickcaponi/go/src/github.com/onelogin/onelogin-go-sdk/pkg/oltypes/bool.go
[gosec] 2020/04/30 07:57:15 Checking file: /Users/dominickcaponi/go/src/github.com/onelogin/onelogin-go-sdk/pkg/oltypes/number.go
[gosec] 2020/04/30 07:57:15 Checking file: /Users/dominickcaponi/go/src/github.com/onelogin/onelogin-go-sdk/pkg/oltypes/strings.go
Results:


Summary:
   Files: 21
   Lines: 869
   Nosec: 1
  Issues: 0

I can try making my action match more closely to this example but as you may notice, the way you've configured your gosec tool to run there matches how I've done it in mine which makes me wonder is there a certain config or setup step in github thats missing.

[dcaponi]

Ah I think I've identified my issue. I scaled back my testing matrix to only use ubuntu-latest and removed the step to install go and it works.

I tried adding more platforms (windows, macos) and got. Likely not the end of the world. A heads up in the readme would be a good idea imo :)

Run securego/gosec@master
##[error]Container action is only supported on Linux

[dcaponi]

Going to close since this isn't blocking me. Let me know if you have any other questions. Thanks for humoring me!

[aldas]

having similar problem (matrix + actions/setup-go@v1) workflow

Golang errors in file: [.]:

  > [line 0 : column 0] - loading files from package ".": err: exit status 2: stderr: go: cannot find GOROOT directory: /opt/hostedtoolcache/go/1.14.4/x64

workaround for me is:

    - name: Run Gosec Security Scanner
      run: |
        export PATH=$PATH:$(go env GOPATH)/bin
        go get github.com/securego/gosec/cmd/gosec
        gosec ./...

documenting it here if someone has similar problem

[siarhei-cma]

Thank you @aldas!

[francoisjacques]

Works like a charm. Thank you @aldas !

[cschneider4711]

Had the same/similar issue in GitHub action with Go 1.18 and generics and solved it this way:

• Updated code to use Go 1.18 generics --> GoSec without Go 1.18 (as expected) complained about keywords like "any" (replaces interface{}), therefore I updated to Go 1.18 in GitHub action.
• Then (Go 1.18 now in GitHub action installed before GoSec runs) GoSec complains: "cannot find GOROOT directory: /opt/hostedtoolcache/go/1.18.0/x64"
• Solution was to modify the comment from aldas above a bit to fit 1.18 (go install)

        run: | # https://github.com/securego/gosec/issues/469
          export PATH=$PATH:$(go env GOPATH)/bin
          go install github.com/securego/gosec/v2/cmd/gosec@latest
          gosec ./...

Now GitHub workflow works again like a charm with GoSec and 1.18 generics ;)