akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 16 Packages Projects Releases Wiki Activity
Files
8294d6ee497405328d4fb7c1a7ef673f5cf6d3e4
Charon/scripts/security-scan.sh
GitHub Actions 8294d6ee49 Add QA test outputs, build scripts, and Dockerfile validation 
- Created `qa-test-output-after-fix.txt` and `qa-test-output.txt` to log results of certificate page authentication tests.
- Added `build.sh` for deterministic backend builds in CI, utilizing `go list` for efficiency.
- Introduced `codeql_scan.sh` for CodeQL database creation and analysis for Go and JavaScript/TypeScript.
- Implemented `dockerfile_check.sh` to validate Dockerfiles for base image and package manager mismatches.
- Added `sourcery_precommit_wrapper.sh` to facilitate Sourcery CLI usage in pre-commit hooks.
2025-12-11 18:26:24 +00:00

72 lines
2.3 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# Local security scanning script for pre-commit
# Scans Go dependencies for vulnerabilities using govulncheck (fast, no Docker needed)
# For full Trivy scans, run: make security-scan-full
set -e
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color
# Get script directory and repo root
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
REPO_ROOT="$(dirname "$SCRIPT_DIR")"
echo "🔒 Running local security scan..."
# Check if govulncheck is installed
if ! command -v govulncheck &> /dev/null; then
echo -e "${YELLOW}Installing govulncheck...${NC}"
go install golang.org/x/vuln/cmd/govulncheck@latest
fi
# Run govulncheck on backend Go code
echo "📦 Scanning Go dependencies for vulnerabilities..."
cd "$REPO_ROOT/backend"
# Run govulncheck and capture output
VULN_OUTPUT=$(govulncheck ./... 2>&1) || true
# Check for actual vulnerabilities (not just "No vulnerabilities found")
if echo "$VULN_OUTPUT" | grep -q "Vulnerability"; then
echo -e "${RED}❌ Vulnerabilities found in Go dependencies:${NC}"
echo "$VULN_OUTPUT"
# Count HIGH/CRITICAL vulnerabilities
HIGH_COUNT=$(echo "$VULN_OUTPUT" | grep -c "Severity: HIGH\|CRITICAL" || true)
if [ "$HIGH_COUNT" -gt 0 ]; then
echo -e "${RED}Found $HIGH_COUNT HIGH/CRITICAL vulnerabilities. Please fix before committing.${NC}"
exit 1
else
echo -e "${YELLOW}⚠️ Found vulnerabilities, but none are HIGH/CRITICAL. Consider fixing.${NC}"
# Don't fail for lower severity - just warn
fi
else
echo -e "${GREEN}✅ No known vulnerabilities in Go dependencies${NC}"
fi
cd "$REPO_ROOT"
# Check for outdated dependencies with known CVEs (quick check)
echo ""
echo "📋 Checking for outdated security-sensitive packages..."
# Check key packages - only show those with updates available (indicated by [...])
cd "$REPO_ROOT/backend"
OUTDATED=$(go list -m -u all 2>/dev/null | grep -E "(crypto|net|quic)" | grep '\[' | head -10 || true)
if [ -n "$OUTDATED" ]; then
echo -e "${YELLOW}⚠️ Outdated packages found:${NC}"
echo "$OUTDATED"
else
echo -e "${GREEN}All security-sensitive packages are up to date${NC}"
fi
cd "$REPO_ROOT"
echo ""
echo -e "${GREEN}✅ Security scan complete${NC}"
echo ""
echo "💡 For a full container scan, run: make security-scan-full"
Reference in New Issue View Git Blame Copy Permalink