This article is about General Codeship Configuration.

Using Gosec For Go Security Analysis

You will need roughly 2 minutes to read this article.

About Gosec

Gosec exists to help spot problems right in your Go source code, such as hard coded passwords, personal access tokens, insecure random number seeds and more.

Their documentation does a great job of providing more information, in addition to the setup instructions below.

CodeShip Basic

Project Configuration

To use Gosec with your CodeShip Basic project, you’ll need to build Go in your project’s setup commands. You can do this by selecting Go from the list of languages, or including a command similar to the below in your instructions:

export GO_VERSION="1.8.1"
source /dev/stdin <<< "$(curl -sSL https://raw.githubusercontent.com/codeship/scripts/master/languages/go.sh)"
go get -t -v ./...
go build -v

From there, simply install Gosec and specify the rules you need via your project’s test or deployment commands, as seen below:

curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s -- -b $GOPATH/bin latest
gosec ${HOME}/src/github.com/michaelneale/mikerowecode.com

Note that this example uses a repo provided by a CloudBees team member, but you can develop your own repo for long-term use.

CodeShip Pro

To use Gosec with your CodeShip Pro project, you’ll need to have Go accessible either via an image you’re using or a Dockerfile you’re building in your codeship-services.yml file.

An example set of instructions to customize and include in your Dockerfile is below, if you’re not already including Go:

RUN export GO_VERSION="1.8.1"
RUN source /dev/stdin <<< "$(curl -sSL https://raw.githubusercontent.com/codeship/scripts/master/languages/go.sh)"
RUN go get -t -v ./...
RUN go build -v

From there, simply install Gosec and specify the rules you need via a script you call in your project’s codeship-steps.yml file.

For instance, you can take the below code and store it as a script in your repository as gosec.sh:

curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s -- -b $GOPATH/bin latest
gosec ${HOME}/src/github.com/michaelneale/mikerowecode.com

Note that this example uses a repo provided by a CloudBees team member, but you can develop your own repo for long-term use.

Next, you can call this script as a step via your codeship-steps.yml file:

- name: gosec
  service: app
  command: gosec.sh

Need more help?

Contact our support team or post on Stack Overflow using the tag #codeship. Did you check the status page and changelog?

There are also several code examples and sample projects available for you to get started with.

Article not helpful?

Does this article need improvement? If so, please send feedback or submit a pull request!