This repository has been archived by the owner on May 21, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 12
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
2 changed files
with
15 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -44,7 +44,7 @@ attack surface besides stealing your CPU cycles. | |
|
||
Implementing the approach above would require changes to Go itself. So I came up with another, simpler approach: GoCap. | ||
GoCap can check and validate the source code of dependencies for their capabilities and is ment to be included into the | ||
testing phase of the build process. This way GoCap can to at least pin the capabilities of dependencies. | ||
testing phase of the build process. This way GoCap can at least pin the capabilities of dependencies. | ||
|
||
GoCap provides simple capability checking for Go using a `go.cap` file. The | ||
`go.cap` files lists all package dependencies that require critical permissions like file access, execution rights or | ||
|
@@ -60,6 +60,14 @@ github.com/alecthomas/kong (file, syscall) | |
github.com/pkg/errors (runtime) | ||
``` | ||
|
||
### Install GoCap | ||
|
||
You can [download a release](https://github.com/cugu/gocap/releases) or run | ||
|
||
```shell | ||
go install github.com/cugu/[email protected] | ||
``` | ||
|
||
### gocap generate | ||
|
||
`gocap generate <path>` prints a valid `go.cap` file. It lists all dependency packages that require critical permissions | ||
|
@@ -84,6 +92,7 @@ github.com/pkg/errors (runtime) | |
|
||
`gocap check <path>` compares a local `go.cap` file with the actual required capabilities by dependency packages. Any | ||
missmatch results in a non-zero exit code, so you can use GoCap check in your CI pipelines. | ||
See [ci.yml](https://github.com/cugu/gocap/blob/main/.github/workflows/ci.yml#L28) for a working example. | ||
|
||
*Example* | ||
|
||
|