search

securego / gosec

Go security checker
https://securego.io
Apache License 2.0
7.7k stars 605 forks source link

Go version issues when running in CI (Github Actions) #1166

Closed saurori closed 2 days ago

saurori commented 1 month ago

Summary

I'm running into a version mismatch when running gosec in Github Actions. I have a dependency ariga.io/atlas v0.25.0 which is forcing my go.mod file to specify the Go version as go 1.22.5. It appear the Docker image securego/gosec:2.20.0 was built iwth go 1.22.3. This results in my CI action failing with errors such as:

Golang errors in file: [cmd]:

  > [line 0 : column 0] - loading files from package "cmd": err: exit status 1: stderr: go: go.mod requires go >= 1.22.5 (running go 1.22.3; GOTOOLCHAIN=local)

I'm not sure if there is a workaround or if a new Docker image could be built with the latest Go version.

Steps to reproduce the behavior

Use Github Action (setup-go may not be needed):

jobs:
  gosec:
    name: Gosec
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: actions/setup-go@v5
        with:
          go-version: '1.22.5'

      - name: Run Gosec Security Scanner
        uses: securego/gosec@master
        with:
          args: '-exclude=G108,G203 -exclude-generated ./...'

gosec version

2.20.0

Go version (output of 'go version')

go version go1.22.5 linux/amd64

ccojocar commented 1 month ago

The version is already bumped in the CI scripts to 1.22.5. This will be fixed with the next release when a new docker image will be released with an updated Go version.

In the meantime, you can build a new docker image from master.

omercnet commented 1 month ago

@ccojocar please release a new patch for the gosec docker image, using action.yaml from master still gives the hardcoded image

perhaps master should use latest image and the tagged versions will reference the specific versions

but for now please just release a patch so to unclog CIs around the world :)

ccojocar commented 1 month ago

I'll release soon a new version. Usually we keep a 3 months cadence.

perhaps master should use latest image and the tagged versions will reference the specific versions

The latest tag is alway pointing to last released version. There ins't a continuous build of the latest image from master. We try to keep the version of the action is sync with the version of the image, this is why is hardcoded. I didn't find an automatic way to do this. Happy to have some suggestions how this could be automated.

but for now please just release a patch so to unclog CIs around the world :)

This sounds like a happy end for these CIs. In this case, they should consider sponsoring the project if is so critical for them ;-).

saurori commented 1 month ago

I would suggest releasing patch / hotfix versions (e.g. 2.20.1) for security issues in either Go versions or versions of dependencies. Those releases should only contain version updates separate from any feature releases. Then you can stick to a 3 month release cadence without falling behind on security issues.

saurori commented 1 week ago

@ccojocar Any update on this? We're now on to go1.23 and it's causing issues across even more repos. Can we please at least get a hotfix release with just go version updates if other features/fixes aren't ready to release?