sbassett added a comment.
@Michaelcochez - Thanks for getting gosec set up within the project's Github CI. just reviewing some recent runs <https://github.com/martaannaj/RecommenderServer/actions/workflows/gosec.yml>, it doesn't seem like it's found much, which is good, and we'd likely rate that as {icon check-circle color=green} **low risk** for now, but I'll let @reedy make that call as this is his review. Another tool that might be helpful is go-kart <https://www.praetorian.com/blog/introducing-gokart/>, which is somewhat of a complement/alternative to gosec FWIU, and it looks like there's a convenient way to set it up as a Github action here <https://github.com/kitabisa/gokart-action>. semgrep <https://semgrep.dev/> also has a golang policy ("p/golang") consisting of about 24 rules right now. I'd also recommend using at least some tool to scan for vulnerable packages in addition to Github's recent Advisories support for golang <https://github.blog/2021-07-22-github-supply-chain-security-features-go-community/>. Nancy <https://github.com/sonatype-nexus-community/nancy> or even the free/foss tier of snyk <https://snyk.io/plans/> should work, though the latter obviously has some limits re: tests per month, etc. Talking with some snyk sales reps recently, they are allegedly coming out with a pure non-profit license, which I'm hopeful might work well and be less limited for the entire Wikimedia developer community/ecosystem. TASK DETAIL https://phabricator.wikimedia.org/T292110 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Reedy, sbassett Cc: Lucas_Werkmeister_WMDE, sbassett, Michaelcochez, Martaannaj, Lydia_Pintscher, Addshore, WMDE-leszek, karapayneWMDE, Aklapper, Invadibot, Devnull, maantietaja, Akuckartz, Jcross, Dsharpe, DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS, Wikidata-bugs, aude, Bawolff, Mbch331, Legoktm
_______________________________________________ Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org
