Configuring GoSec scans
Use gosec to inspect Golang source code in your scanned repositories.
Required parameters
The pipeline needs the parameter in Table 1 to run the Gosec scan. For a full list of pipeline parameters, see Pipeline parameters.
| Name | Type | Description | Required or Optional |
|---|---|---|---|
opt-in-gosec |
text | Enables gosec scans | Required |
Enabling gosec scan for private Git repositories
If your project requires dependencies that are located in a private Git repository and therefore needs SSH-based authentication, you can enable the pipeline to retrieve the dependencies by providing optional parameters. For more information, see Enable download of dependencies for private repositories.
If a proxy must be specified for retrieving dependencies, you can specify its URL along with the credentials (username and token) by using pipeline parameters. For more information, see Enable GOPROXY.
Enable download of dependencies for private repositories
Downloading dependencies for repositories can be enabled by providing all of the following pipeline parameters.
| Name | Type | Description | Required or optional |
|---|---|---|---|
gosec-private-repository-url |
text | (deprecated) Your private repository base URL. | optional |
gosec-private-repository-host |
text | Your private repository host. For example, github.ibm.com |
optional |
gosec-private-repository-ssh-key |
secret | The SSH key for the private repository | optional |
gosec-private-repository-user |
text | User for the private repository with https access (default to x-oauth-basic) |
optional |
gosec-private-repository-token |
secret | The token used for https access to private repository (default to the token configured for the first git integration in the toolchain whose repository URL is hosted on gosec-private-repository-host's value) |
optional |
Enable GOPROXY
If GOPROXY must be specified, all of the following parameters must be provided.
| Name | Type | Description | Required or optional |
|---|---|---|---|
gosec-proxy-virtual-repository-user |
text | The virtual repository user for gosec proxy | optional |
gosec-proxy-virtual-repository-token |
secret | The virtual repository token for gosec proxy | optional |
gosec-proxy-virtual-repository-url |
text | The virtual repository url for gosec proxy | optional |
Optional parameters
The gosec-scan-image parameter can be used to specify a different gosec image to use, such as a custom image or a specific version of the official gosec image.
Usage of the gosec-additional-flags flag is shown in the examples section below
| Parameter name | Default value | Description |
|---|---|---|
gosec-additional-flags |
text | Additional flags to be appended to the start of the gosec command. |
gosec-scan-image |
text | Specifies an alternative gosec image, including custom images or specific versions of the official image. |
Examples
Define the value of gosec-additional-flags as -exclude-dir=<your_folder_1> -exclude-dir=<your_folder_2> -nosec=true and the gosec command run is updated as:
./gosec -exclude-dir=<your_folder_1> -exclude-dir=<your_folder_2> -nosec=true -no-fail -fmt=json -out=gosec-results.json -stdout -verbose=text ./...
Using your own configuration file
If you want to modify the default configuration, create a config.json file in the target repository. For more information on the analysis parameters in the configuration file, see gosec configuration.
Using another static scan implementation
If you want to use your own static scan implementation, modify your .pipeline-config.yaml file and add your own custom script to the static-scan stage. For more information, see Custom scripts.