From 477a6c2927ff1675ca2fde5da4a3c1fdd58743cc Mon Sep 17 00:00:00 2001 From: 0x524a Date: Tue, 2 Dec 2025 23:08:47 -0500 Subject: [PATCH] chore: update CI workflows and SonarCloud configuration for enhanced security and coverage reporting - Updated SonarCloud exclusions to include CLI tools and examples for better security hotspot analysis. - Added new issue exclusions for hardcoded IP addresses and credentials in test files and CLI tools. - Upgraded various GitHub Actions to their latest versions for improved performance and security. - Streamlined CI workflows by ensuring consistent usage of action versions across all jobs. --- .github/workflows/ci.yml | 34 ++++++++++++------------- .github/workflows/dependency-review.yml | 5 ++-- .github/workflows/docs.yml | 9 +++---- .github/workflows/release.yml | 22 ++++++++-------- .github/workflows/security.yml | 13 +++++----- .github/workflows/test.yml | 18 ++++++------- sonar-project.properties | 22 +++++++++++++--- 7 files changed, 68 insertions(+), 55 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9b50e3b..3f03ca8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -26,10 +26,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up Go - uses: actions/setup-go@v5 + uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 with: go-version: ${{ env.GO_VERSION }} @@ -52,15 +52,15 @@ jobs: needs: fmt steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up Go - uses: actions/setup-go@v5 + uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 with: go-version: ${{ env.GO_VERSION }} - name: Cache Go modules - uses: actions/cache@v4 + uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 with: path: | ~/.cache/go-build @@ -76,7 +76,7 @@ jobs: run: go vet ./... - name: Run golangci-lint - uses: golangci/golangci-lint-action@v6 + uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v6.5.0 with: version: latest args: --timeout=5m --out-format=github-actions @@ -88,17 +88,17 @@ jobs: needs: lint steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 # Full history for SonarCloud - name: Set up Go - uses: actions/setup-go@v5 + uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 with: go-version: ${{ env.GO_VERSION }} - name: Cache Go modules - uses: actions/cache@v4 + uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 with: path: | ~/.cache/go-build @@ -124,7 +124,7 @@ jobs: go tool cover -func=coverage.out | tail -20 - name: Upload coverage artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: coverage-reports path: | @@ -133,7 +133,7 @@ jobs: retention-days: 7 - name: Upload to Codecov - uses: codecov/codecov-action@v4 + uses: codecov/codecov-action@0565863a31f2c772f9f0395002a31e3f06189574 # v4.6.0 with: token: ${{ secrets.CODECOV_TOKEN }} files: ./coverage.out @@ -153,12 +153,12 @@ jobs: if: github.event_name == 'push' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/main') && github.repository == '0x524a/onvif-go' steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 # Full history for accurate blame information - name: Download coverage reports - uses: actions/download-artifact@v4 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: coverage-reports @@ -175,7 +175,7 @@ jobs: fi - name: SonarCloud Scan - uses: SonarSource/sonarcloud-github-action@master + uses: SonarSource/sonarcloud-github-action@4006f663ecaf1f8093e8e4abb9227f6041f52216 # v3.1.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} @@ -187,15 +187,15 @@ jobs: needs: test steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up Go - uses: actions/setup-go@v5 + uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 with: go-version: ${{ env.GO_VERSION }} - name: Cache Go modules - uses: actions/cache@v4 + uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 with: path: | ~/.cache/go-build diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 0e3b41a..569c4f3 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -14,10 +14,9 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Dependency Review - uses: actions/dependency-review-action@v4 + uses: actions/dependency-review-action@da24556b548a50705dd671f47852072ea4c105d9 # v4.7.1 with: fail-on-severity: moderate - diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index bc5f984..0eb1e8c 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -18,17 +18,16 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Check for broken links - uses: peter-evans/link-checker@v1 + uses: lycheeverse/lychee-action@f81112d0d2814ded911bd23e3beaa9dda9093915 # v2.3.0 with: - args: -v -r -d docs/ + args: --verbose --no-progress docs/ *.md continue-on-error: true - name: Validate markdown - uses: DavidAnson/markdownlint-cli2-action@v16 + uses: DavidAnson/markdownlint-cli2-action@05f32210e84442804257b2c8a4c84aa7067b5e06 # v19.0.0 with: globs: 'docs/**/*.md' continue-on-error: true - diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d9a4fbe..ecdb44a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -43,12 +43,12 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 - name: Set up Go - uses: actions/setup-go@v5 + uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 with: go-version: '1.24' @@ -143,7 +143,7 @@ jobs: fi - name: Upload artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: release-${{ matrix.goos }}-${{ matrix.goarch }} path: releases/* @@ -155,12 +155,12 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 - name: Download all artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: path: all-releases pattern: release-* @@ -196,7 +196,7 @@ jobs: fi - name: Create Release - uses: softprops/action-gh-release@v2 + uses: softprops/action-gh-release@7b4da11513bf3f43f9999e90eabced41ab8bb048 # v2.2.2 with: files: all-releases/* draft: false @@ -246,16 +246,16 @@ jobs: if: (github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')) || github.event_name == 'workflow_dispatch' steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3.6.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0 - name: Login to GitHub Container Registry - uses: docker/login-action@v3 + uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -274,7 +274,7 @@ jobs: echo "VERSION=${VERSION}" >> $GITHUB_OUTPUT - name: Build and push - uses: docker/build-push-action@v5 + uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v5.5.0 with: context: . platforms: linux/amd64,linux/arm64,linux/arm/v7 diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index f9fda5f..4694c53 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -19,21 +19,21 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up Go - uses: actions/setup-go@v5 + uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 with: go-version: '1.24' - name: Run Gosec Security Scanner - uses: securego/gosec@master + uses: securego/gosec@6fbd381238e97e1d1f3571f527c134d5b5ce6986 # v2.21.4 with: args: '-no-fail -fmt json -out gosec-report.json ./...' - name: Upload gosec report if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: gosec-report path: gosec-report.json @@ -56,10 +56,10 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up Go - uses: actions/setup-go@v5 + uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 with: go-version: '1.24' @@ -67,4 +67,3 @@ jobs: run: | go install golang.org/x/vuln/cmd/govulncheck@latest govulncheck ./... - diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index e70dfa4..9a62635 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -24,15 +24,15 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up Go - uses: actions/setup-go@v5 + uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 with: go-version: ${{ matrix.go-version }} - name: Cache Go modules - uses: actions/cache@v4 + uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 with: path: | ~/.cache/go-build @@ -54,15 +54,15 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up Go - uses: actions/setup-go@v5 + uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 with: go-version: '1.24' - name: Cache Go modules - uses: actions/cache@v4 + uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 with: path: | ~/.cache/go-build @@ -84,15 +84,15 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up Go - uses: actions/setup-go@v5 + uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 with: go-version: '1.24' - name: Cache Go modules - uses: actions/cache@v4 + uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 with: path: | ~/.cache/go-build diff --git a/sonar-project.properties b/sonar-project.properties index cfffe96..c93dd4f 100644 --- a/sonar-project.properties +++ b/sonar-project.properties @@ -27,12 +27,12 @@ sonar.coverage.exclusions=**/cmd/**,**/examples/**,**/server/**,**/testing/**,** # Duplications exclusions sonar.cpd.exclusions=**/*_test.go,**/testdata/** -# Security Hotspot exclusions - skip test files and CI configuration +# Security Hotspot exclusions - skip test files, CI configuration, and CLI tools # These files don't represent production security concerns sonar.security.hotspots.exclusions=**/*_test.go,**/testing/**,**/testdata/**,**/.github/**,**/examples/**,**/cmd/** -# Issue exclusions for specific rules in test files -sonar.issue.ignore.multicriteria=e1,e2,e3 +# Issue exclusions for specific rules +sonar.issue.ignore.multicriteria=e1,e2,e3,e4,e5,e6,e7 # Ignore security issues in test files sonar.issue.ignore.multicriteria.e1.ruleKey=go:S5042 @@ -44,3 +44,19 @@ sonar.issue.ignore.multicriteria.e2.resourceKey=**/*_test.go sonar.issue.ignore.multicriteria.e3.ruleKey=go:S6418 sonar.issue.ignore.multicriteria.e3.resourceKey=**/examples/** + +# Ignore hardcoded IP addresses in test files (test IPs like 192.168.x.x are expected) +sonar.issue.ignore.multicriteria.e4.ruleKey=go:S1313 +sonar.issue.ignore.multicriteria.e4.resourceKey=**/*_test.go + +# Ignore hardcoded IP addresses in CLI tools (example/default IPs for demos) +sonar.issue.ignore.multicriteria.e5.ruleKey=go:S1313 +sonar.issue.ignore.multicriteria.e5.resourceKey=**/cmd/** + +# Ignore hardcoded IP addresses in examples +sonar.issue.ignore.multicriteria.e6.ruleKey=go:S1313 +sonar.issue.ignore.multicriteria.e6.resourceKey=**/examples/** + +# Ignore hardcoded credentials in CLI tools (default/demo credentials) +sonar.issue.ignore.multicriteria.e7.ruleKey=go:S6418 +sonar.issue.ignore.multicriteria.e7.resourceKey=**/cmd/**