akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 15 Packages Projects Releases Wiki Activity
Files
main
Charon/scripts/security-scan.sh
renovate[bot] 6391532b2d fix(deps): update non-major-updates
2026-04-14 01:08:04 +00:00

73 lines
2.3 KiB
Bash
Executable File
Raw Permalink Blame History

#!/bin/bash
# Local security scanning script for pre-commit
# Scans Go dependencies for vulnerabilities using govulncheck (fast, no Docker needed)
# For full Trivy scans, run: make security-scan-full
set -e
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color
# Get script directory and repo root
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
REPO_ROOT="$(dirname "$SCRIPT_DIR")"
echo "🔒 Running local security scan..."
# Check if govulncheck is installed
if ! command -v govulncheck &> /dev/null; then
echo -e "${YELLOW}Installing govulncheck...${NC}"
# renovate: datasource=go depName=golang.org/x/vuln
go install golang.org/x/vuln/cmd/govulncheck@v1.2.0
fi
# Run govulncheck on backend Go code
echo "📦 Scanning Go dependencies for vulnerabilities..."
cd "$REPO_ROOT/backend"
# Run govulncheck and capture output
VULN_OUTPUT=$(govulncheck ./... 2>&1) || true
# Check for actual vulnerabilities (not just "No vulnerabilities found")
if echo "$VULN_OUTPUT" | grep -q "Vulnerability"; then
echo -e "${RED}❌ Vulnerabilities found in Go dependencies:${NC}"
echo "$VULN_OUTPUT"
# Count HIGH/CRITICAL vulnerabilities
HIGH_COUNT=$(echo "$VULN_OUTPUT" | grep -c "Severity: HIGH\|CRITICAL" || true)
if [ "$HIGH_COUNT" -gt 0 ]; then
echo -e "${RED}Found $HIGH_COUNT HIGH/CRITICAL vulnerabilities. Please fix before committing.${NC}"
exit 1
else
echo -e "${YELLOW}⚠️ Found vulnerabilities, but none are HIGH/CRITICAL. Consider fixing.${NC}"
# Don't fail for lower severity - just warn
fi
else
echo -e "${GREEN}✅ No known vulnerabilities in Go dependencies${NC}"
fi
cd "$REPO_ROOT"
# Check for outdated dependencies with known CVEs (quick check)
echo ""
echo "📋 Checking for outdated security-sensitive packages..."
# Check key packages - only show those with updates available (indicated by [...])
cd "$REPO_ROOT/backend"
OUTDATED=$(go list -m -u all 2>/dev/null | grep -E "(crypto|net|quic)" | grep '\[' | head -10 || true)
if [ -n "$OUTDATED" ]; then
echo -e "${YELLOW}⚠️ Outdated packages found:${NC}"
echo "$OUTDATED"
else
echo -e "${GREEN}All security-sensitive packages are up to date${NC}"
fi
cd "$REPO_ROOT"
echo ""
echo -e "${GREEN}✅ Security scan complete${NC}"
echo ""
echo "💡 For a full container scan, run: make security-scan-full"
Reference in New Issue View Git Blame Copy Permalink