Run the Go vuln tool in CI

XMLWordPrintableJSON

    • Type: Task
    • Resolution: Unresolved
    • Priority: Major - P3
    • None
    • Affects Version/s: None
    • Component/s: None
    • None
    • 1,120

      Problem

      See https://go.dev/blog/vuln for details on this tool. In short, it's a Go code vulnerability scanner.

      The problem this solves it that we want to be alerted to potential security issues in our codebase ASAP so we can fix them.

      Solution

      We want to run this tool in CI.

      Impact

      This will let us spot security issues as soon as possible without relying on people reading blogs, CVE announcements, etc.

      Acceptance Criteria

      • Add a static analysis task to run this tool.
      • Decide what to do with its output. Do we fail CI on some or all vulnerabilities? If not, how can we be alerted to vulnerabilities?

            Assignee:
            Unassigned
            Reporter:
            Dave Rolsky
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: