Run govulncheck when a new PR is opened for go module changes to understand if the new changes are bringing newer vulnerabilities than the ones affecting main (master) branch.
@PushkarJ: The label(s) area/security cannot be applied, because the repository doesn't have them.
In response to [this](https://github.com/kubernetes/sig-security/issues/99):
>## Description
>
>Run `govulncheck` when a new PR is opened for go module changes to understand if the new changes are bringing newer vulnerabilities than the ones affecting main (master) branch.
>
>## Implementation Details
>
>- Create a new yaml file here: https://github.com/kubernetes/test-infra/tree/0e5705d1a7cfe4c0ba8e2518a15c26f8ebc1b66d/config/jobs/kubernetes/sig-security named as `govulncheck-presubmit.yaml` that looks something like this:
>
>```
>presubmits:
> kubernetes/kubernetes:
> - name: check-govulncheck-results
> decorate: true
> decoration_config:
> timeout: 5m
> path_alias: k8s.io/kubernetes
> extra_refs:
> - org: kubernetes
> repo: sig-security
> base_ref: main
> workdir: true
> always_run: false
> optional: true
> run_if_changed: '^(go.mod|go.sum|vendor)'
> spec:
> containers:
> - image: golang
> command:
> - /bin/bash
> args:
> - -c
> - |
> - "cd sig-security-tooling/govulncheck/hack/ && ./govulncheck-presubmit.sh"
> annotations:
> testgrid-create-test-group: "true"
> testgrid-dashboards: sig-security-govulncheck-presubmit
> description: Runs `govulncheck` for PRs related to go module changes
>```
>
>Add a new file `sig-security-tooling/govulncheck/hack/govulncheck-presubmit.sh` in https://github.com/kubernetes/sig-security
>
>```
> set -euo pipefail
>
> export WORKDIR=$TMPDIR
> export PATH=$PATH:$GOPATH/bin
>
> mkdir -p "${WORKDIR}"
> pushd "$WORKDIR/kubernetes"
> go install golang.org/x/vuln/cmd/govulncheck@latest
> popd
>
> govulncheck -scan module ./... > "${WORKDIR}/head.txt"
> git reset --hard HEAD
> git checkout -b base "${PULL_BASE_SHA}"
> govulncheck -scan module ./... > "${WORKDIR}/pr-base.txt"
> diff -s -u --ignore-all-space "${WORKDIR}"/pr-base.txt "${WORKDIR}"/head.txt || true
>```
>
>/sig security architecture
>/area dependency security
Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.
Description
Run
govulncheck
when a new PR is opened for go module changes to understand if the new changes are bringing newer vulnerabilities than the ones affecting main (master) branch.Implementation Details
govulncheck-presubmit.yaml
that looks something like this:Add a new file
sig-security-tooling/govulncheck/hack/govulncheck-presubmit.sh
in https://github.com/kubernetes/sig-securityTips and Caveats
|| true
is set so that the job doesn't fail since it's non-blockingParent Issue
95
/sig security architecture /area dependency security