Add --exclude-dirs and --report-dir flags to sast.sh (#10766)

* Adding --exclude-dirs flag to sast.sh * Adding --report-dir flag * Address feedback
gardener · Nov 11, 2024 · 2de78f5 · 2de78f5
1 parent b95382f
commit 2de78f5
Showing 1 changed file with 11 additions and 4 deletions.
diff --git a/hack/sast.sh b/hack/sast.sh
@@ -6,17 +6,24 @@
 
 set -e
 
-root_dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." &> /dev/null && pwd )"
+report_dir="$(git rev-parse --show-toplevel)"
 
 gosec_report="false"
 gosec_report_parse_flags=""
+exclude_dirs="hack"
 
 parse_flags() {
   while test $# -gt 1; do
     case "$1" in
       --gosec-report)
         shift; gosec_report="$1"
         ;;
+      --report-dir)
+        shift; report_dir="$1"
+        ;;
+      --exclude-dirs)
+        shift; exclude_dirs="$1"
+        ;;
       *)
         echo "Unknown argument: $1"
         exit 1
@@ -31,8 +38,8 @@ parse_flags "$@"
 echo "> Running gosec"
 gosec --version
 if [[ "$gosec_report" != "false" ]]; then
-  echo "Exporting report to $root_dir/gosec-report.sarif"
-  gosec_report_parse_flags="-track-suppressions -fmt=sarif -out=gosec-report.sarif -stdout"
+  echo "Exporting report to ${report_dir}/gosec-report.sarif"
+  gosec_report_parse_flags="-track-suppressions -fmt=sarif -out=${report_dir}/gosec-report.sarif -stdout"
 fi
 
 # Gardener uses code-generators https://github.com/kubernetes/code-generator and https://github.com/protocolbuffers/protobuf
@@ -41,4 +48,4 @@ fi
 # Thus, generated code is excluded from gosec scan.
 # Nested go modules are not supported by gosec (see https://github.com/securego/gosec/issues/501), so the ./hack folder
 # is excluded too. It does not contain productive code anyway.
-gosec -exclude-generated -exclude-dir=hack $gosec_report_parse_flags ./...
+gosec -exclude-generated $(echo "$exclude_dirs" | awk -v RS=',' '{printf "-exclude-dir %s ", $1}') $gosec_report_parse_flags ./...