feat: new command "scan-source" #555
Draft
+314
−0
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Adds a new experimental command to start letting us do source code scans of our distro packages. The goal here is to both:
govulncheck
that otherwise appear to be true positives in simple binary scans.For now, this just uses
govulncheck
, wired in as a library. But in subsequent iterations we can add Grype or other scanners that will help surface findings in raw source code.To finish this first iteration, there's a handful of tasks left to do:
fetch
pipelines (currently this just supportsgit-checkout
pipelines)