feat(scan): add ci scan

add ci scan Signed-off-by: ysicing <[email protected]>
easysoft · Oct 18, 2023 · 452a1b1 · 452a1b1
1 parent 39e84d5
commit 452a1b1
Show file tree

Hide file tree

Showing 7 changed files with 62 additions and 11 deletions.
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -35,6 +35,10 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
       - name: Setup Go
         uses: actions/setup-go@v4
         with:
@@ -60,3 +64,19 @@ jobs:
         run: |
           ./_output/qcadmin_linux_amd64 version
           sudo ./_output/qcadmin_linux_amd64 init --domain github.local --debug
+      - name: test qcadmin
+        run: |
+          task docker-build
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ttl.sh/easysoft/qcadmin
+          format: 'sarif'
+          ignore-unfixed: true
+          severity: 'CRITICAL,HIGH,MEDIUM'
+          output: 'trivy-results.sarif'
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'
diff --git a/.golangci.yml b/.golangci.yml
@@ -1,6 +1,6 @@
 run:
   timeout: 5m
-  skip-dirs-use-default: false
+  skip-dirs-use-default: true
   skip-dirs:
     - hack/bin
     - testdata$
@@ -11,7 +11,6 @@ run:
   - ".*test.go"
   modules-download-mode: readonly
   allow-parallel-runners: true
-  go: '1.21'
 
 issues:
   exclude:
@@ -53,6 +52,7 @@ linters:
     - gofmt
     - goimports
     - gosec
+    # - goconst
     # - gosimple
     - govet
     - ineffassign
@@ -64,6 +64,10 @@ linters:
     - goheader
     # - lll
     - whitespace
+    - vet
+    # - errcheck
+    # - nilerr
+    # - unconvert
 
 linters-settings:
   gosimple:
@@ -110,3 +114,17 @@ linters-settings:
     rules:
       - name: unused-parameter
         disabled: true
+
+  errcheck:
+    check-type-assertions: false
+    check-blank: true
+    ignore: fmt:.*
+    exclude-functions:
+      - io.Copy(*bytes.Buffer)
+      - io.Copy(os.Stdout)
+
+# golangci.com configuration
+# https://github.com/golangci/golangci/wiki/Configuration
+service:
+  # use the fixed version to not introduce new linters unexpectedly
+  golangci-lint-version: latest
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,5 @@
+FROM ysicing/debian
+
+COPY ./_output/qcadmin_linux_amd64 /usr/bin/qcadmin
+
+RUN chmod +x /usr/bin/qcadmin
diff --git a/Taskfile.yml b/Taskfile.yml
@@ -122,6 +122,16 @@ tasks:
     cmds:
       - cat examples/sonar-project.properties.example | sed "s#2.0.0#${APP_VERSION}#g" | sed "s#quickon#pangu#g" > sonar-project.properties
 
+  docker-build:
+    desc: build docker image
+    cmds:
+      - docker buildx build --pull --push --platform linux/amd64 -t ttl.sh/easysoft/qcadmin .
+
+  trivy-docker:
+    desc: trivy docker image
+    cmds:
+      - trivy image --severity MEDIUM,HIGH,CRITICAL ttl.sh/easysoft/qcadmin --scanners vuln
+
   default:
     desc: default linux
     cmds:

diff --git a/common/func.go b/common/func.go
@@ -196,7 +196,7 @@ func GetCustomScripts(path string) string {
 
 // GetReleaseName get chart release name
 func GetReleaseName(devops bool) string {
-	if devops == true {
+	if devops {
 		return DefaultZentaoPaasName
 	}
 	return DefaultQuchengName
@@ -212,7 +212,7 @@ func GetDefaultNFSStoragePath(dir string) string {
 
 // GetInstallType get install type
 func GetInstallType(devops bool) string {
-	if devops == true {
+	if devops {
 		return "devops"
 	}
 	return "quickon"

diff --git a/internal/pkg/k8s/nodes.go b/internal/pkg/k8s/nodes.go
@@ -94,9 +94,7 @@ func (c *Client) GetPodsByNodes(nodeName string) (pods []corev1.Pod, err error)
 	if err != nil {
 		return pods, err
 	}
-	for _, pod := range podList.Items {
-		pods = append(pods, pod)
-	}
+	pods = append(pods, podList.Items...)
 	return pods, nil
 }
 

diff --git a/pkg/quickon/quickon.go b/pkg/quickon/quickon.go
@@ -323,10 +323,10 @@ func (m *Meta) Init() error {
 	}
 
 	if m.OffLine {
-		helmargs = append(helmargs, "--set", fmt.Sprintf("cloud.host=http://market-cne-market-api.quickon-system.svc:8088"))
-		helmargs = append(helmargs, "--set", fmt.Sprintf("env.CNE_MARKET_API_SCHEMA=http"))
-		helmargs = append(helmargs, "--set", fmt.Sprintf("env.CNE_MARKET_API_HOST=market-cne-market-api.quickon-system.svc"))
-		helmargs = append(helmargs, "--set", fmt.Sprintf("env.CNE_MARKET_API_PORT=8088"))
+		helmargs = append(helmargs, "--set", "cloud.host=http://market-cne-market-api.quickon-system.svc:8088")
+		helmargs = append(helmargs, "--set", "env.CNE_MARKET_API_SCHEMA=http")
+		helmargs = append(helmargs, "--set", "env.CNE_MARKET_API_HOST=market-cne-market-api.quickon-system.svc")
+		helmargs = append(helmargs, "--set", "env.CNE_MARKET_API_PORT=8088")
 	}
 
 	helmargs = append(helmargs, "--set", fmt.Sprintf("ingress.host=%s", hostdomain))