ci: add govulncheck to ci

2026-05-12 22:39:34 -05:00 · 2023-12-28 14:26:12 +01:00
parent 98b9fce738
commit c095224636
1 changed files with 34 additions and 1 deletions
@@ -318,7 +318,8 @@ def testOcisAndUploadResults(ctx):
    scan_result_upload = uploadScanResults(ctx)
    scan_result_upload["depends_on"] = getPipelineNames([pipeline])

-    return [pipeline, scan_result_upload]
+    security_scan = scanOcis(ctx)
+    return [pipeline, scan_result_upload, security_scan]

 def testPipelines(ctx):
    pipelines = []
@@ -505,6 +506,38 @@ def testOcis(ctx):
        "volumes": [pipelineVolumeGo],
    }

+def scanOcis(ctx):
+    steps = skipIfUnchanged(ctx, "unit-tests") + restoreGoBinCache() + makeGoGenerate("") + [
+        {
+            "name": "govulncheck",
+            "image": OC_CI_GOLANG,
+            "commands": [
+                "make govulncheck",
+            ],
+            "environment": DRONE_HTTP_PROXY_ENV,
+            "volumes": [stepVolumeGo],
+        },
+    ]
+
+    return {
+        "kind": "pipeline",
+        "type": "docker",
+        "name": "go-vulnerability-scanning",
+        "platform": {
+            "os": "linux",
+            "arch": "amd64",
+        },
+        "steps": steps,
+        "trigger": {
+            "ref": [
+                "refs/heads/master",
+                "refs/pull/**",
+            ],
+        },
+        "depends_on": getPipelineNames(getGoBinForTesting(ctx)),
+        "volumes": [pipelineVolumeGo],
+    }
+
 def buildOcisBinaryForTesting(ctx):
    return {
        "kind": "pipeline",