vikingowl
0981fb82d6
Both checks already passed locally on the current dev tip; wiring them into the canonical pre-commit gate so security regressions fail fast instead of leaking into a release. - 'make vuln' runs govulncheck with reachability analysis against the Go vuln DB. - 'make sec' runs semgrep with p/golang + p/security-audit, metrics off, --error so findings exit non-zero. Tools must be installed locally (commands in Makefile comments). If upstream Woodpecker CI runs 'make check', it will need both binaries on the runner image.
56 lines
1.0 KiB
Makefile
56 lines
1.0 KiB
Makefile
.PHONY: build run check install test lint cover clean fmt vet vuln sec
|
|
|
|
BINARY := gnoma
|
|
BINDIR := ./bin
|
|
MODULE := somegit.dev/Owlibou/gnoma
|
|
|
|
build:
|
|
go build -o $(BINDIR)/$(BINARY) ./cmd/gnoma
|
|
|
|
run: build
|
|
$(BINDIR)/$(BINARY)
|
|
|
|
check: fmt vet lint test vuln sec
|
|
@echo "All checks passed!"
|
|
|
|
install:
|
|
go install $(MODULE)/cmd/$(BINARY)
|
|
|
|
test:
|
|
go test ./...
|
|
|
|
test-v:
|
|
go test -v ./...
|
|
|
|
test-integration:
|
|
go test -tags integration ./...
|
|
|
|
cover:
|
|
go test -coverprofile=coverage.out ./...
|
|
go tool cover -html=coverage.out -o coverage.html
|
|
|
|
lint:
|
|
golangci-lint run ./...
|
|
|
|
fmt:
|
|
gofmt -w .
|
|
|
|
vet:
|
|
go vet ./...
|
|
|
|
clean:
|
|
rm -rf $(BINDIR) coverage.out coverage.html
|
|
|
|
tidy:
|
|
go mod tidy
|
|
|
|
# Reachability-checked dependency vuln scan against the Go vuln DB.
|
|
# Install: go install golang.org/x/vuln/cmd/govulncheck@latest
|
|
vuln:
|
|
govulncheck ./...
|
|
|
|
# Static security analysis via Semgrep (Go ruleset + security-audit).
|
|
# Install: pip install semgrep (or: brew install semgrep)
|
|
sec:
|
|
semgrep --config=p/golang --config=p/security-audit --metrics=off --error .
|