chore: use infra-checkers static analysis settings and include known issue to trivyignore (#52)

sigilioso · web-flow · commit eaffa2e999c2 · 2022-08-29T08:42:18.000+02:00
diff --git a/.github/workflows/push_pr.yml b/.github/workflows/push_pr.yml
@@ -19,13 +19,18 @@ jobs:
     runs-on: ubuntu-20.04
     steps:
       - uses: actions/checkout@v2
+      - uses: actions/setup-go@v2
+        with:
+          go-version: ${{ env.GO_VERSION }}
       - uses: newrelic/newrelic-infra-checkers@v1
+        with:
+          golangci-lint-config: golangci-lint-limited
       - name: Semgrep
         uses: returntocorp/semgrep-action@v1
         with:
           auditOn: push
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v2
+        uses: golangci/golangci-lint-action@v3
         continue-on-error: ${{ github.event_name != 'pull_request' }}
         with:
           only-new-issues: true
diff --git a/.golangci.yml b/.golangci.yml
diff --git a/.trivyignore b/.trivyignore
@@ -0,0 +1,3 @@
+# We are running the 2.16.0 version of github.com/emicklei/go-restful that had the fix backported, but trivy still points it out as false-positive
+# This is going to be fixed by 2.15 of the kubernetes client go, they decided not to backport the fix since they are not using the impacted feature.
+CVE-2022-1996
diff --git a/Makefile b/Makefile
@@ -8,32 +8,23 @@ IMAGE_NAME   ?= newrelic/nri-discovery-kubernetes
 GOPATH := $(shell go env GOPATH)
 GORELEASER_VERSION := v0.168.0
 GORELEASER_BIN ?= bin/goreleaser
-GOLANGCI_LINT_BIN = golangci-lint
 
 all: build
 
-build: check-version clean validate test compile
+build: check-version clean test compile
 
 clean:
 	@echo "=== $(PROJECT) === [ clean ]: Removing binaries and coverage file..."
 	@rm -rfv bin
 	@rm -rfv target
 
-tools: check-version
-	@which $(GOLANGCI_LINT_BIN) || echo "golangci-lint not found in PATH" >&2 && exit 1
-
 fmt:
 	@go fmt ./...
 
 deps:
 	@echo "=== $(PROJECT) === [ deps ]: Installing package dependencies required by the project..."
 	@go mod download
 
-validate: deps
-	@echo "=== $(PROJECT) === [ validate ]: Validating source code running golangci-lint..."
-	@${GOLANGCI_LINT_BIN} --version
-	@${GOLANGCI_LINT_BIN} run
-
 compile: deps
 	@echo "=== $(PROJECT) === [ compile ]: Building $(BINARY_NAME)..."
 	@go build -o bin/$(BINARY_NAME) ./cmd/discovery/
@@ -71,4 +62,4 @@ endif
 include $(CURDIR)/build/ci.mk
 include $(CURDIR)/build/release.mk
 
-.PHONY: all fmt build clean tools tools-update deps deps-only validate compile compile-only test check-version tools-golangci-lint docker-build release release/deps release/test docker-release
+.PHONY: all fmt build clean tools tools-update deps deps-only compile compile-only test check-version docker-build release release/deps release/test snyk snyk/monitor docker-release

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+# We are running the 2.16.0 version of github.com/emicklei/go-restful that had the fix backported, but trivy still points it out as false-positive`
	`2`	`+# This is going to be fixed by 2.15 of the kubernetes client go, they decided not to backport the fix since they are not using the impacted feature.`
	`3`	`+CVE-2022-1996`