From 8c76e44d10988dba345372888c3827d9af4a178e Mon Sep 17 00:00:00 2001
From: Shane C <shane@scaffoe.com>
Date: Fri, 6 Sep 2024 21:25:47 -0400
Subject: [PATCH] run gosec from app

---
 .forgejo/workflows/gosec.yml |  5 ++---
 Dockerfile                   |  2 +-
 cmd/root.go                  | 21 ++++++++++++++++-----
 entrypoint.sh                |  2 +-
 go.mod                       |  3 ++-
 go.sum                       |  3 +++
 6 files changed, 25 insertions(+), 11 deletions(-)

diff --git a/.forgejo/workflows/gosec.yml b/.forgejo/workflows/gosec.yml
index 6beb3e1..2128c94 100644
--- a/.forgejo/workflows/gosec.yml
+++ b/.forgejo/workflows/gosec.yml
@@ -13,8 +13,7 @@ jobs:
         uses: actions/checkout@v4
       - uses: actions/setup-go@v5
         with:
-          go-version: '1.21'
-      - run: go mod download && go install github.com/a-h/templ/cmd/templ@latest
-      - run: templ generate
+          go-version: '1.22'
+      - run: go mod download
       - name: Run Gosec Security Scanner
         uses: actions/goscan@main
\ No newline at end of file
diff --git a/Dockerfile b/Dockerfile
index 583ae4f..453f4ef 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -8,7 +8,7 @@ RUN CGO_ENABLED=0 go build -ldflags="-s -w" -trimpath -o build/goscan
 
 FROM alpine:3.20
 
-RUN apk --no-cache update && apk --no-cache upgrade && apk --no-cache add curl
+RUN apk --no-cache update && apk --no-cache upgrade && apk add curl
 
 COPY --from=builder /app/build/goscan /goscan
 COPY ./entrypoint.sh /entrypoint.sh
diff --git a/cmd/root.go b/cmd/root.go
index 37b647f..fad917b 100644
--- a/cmd/root.go
+++ b/cmd/root.go
@@ -7,8 +7,8 @@ package cmd
 import (
 	"codeberg.org/mvdkleijn/forgejo-sdk/forgejo"
 	"fmt"
+	"git.eggactyl.cloud/Eggactyl/shell/linux"
 	"github.com/go-git/go-git/v5"
-	"github.com/kr/pretty"
 	"github.com/nao1215/markdown"
 	"github.com/owenrumney/go-sarif/sarif"
 	"github.com/sethvargo/go-githubactions"
@@ -36,8 +36,6 @@ var rootCmd = &cobra.Command{
 			log.Fatalln(err)
 		}
 
-		pretty.Logln(cwd)
-
 		repo, err := git.PlainOpen(cwd)
 		if err != nil {
 			log.Fatalln(err)
@@ -48,8 +46,21 @@ var rootCmd = &cobra.Command{
 			log.Fatalln(err)
 		}
 
-		pretty.Logln(ref.Name().Short())
-		pretty.Logln(ref.Hash().String())
+		gosecCmd, err := linux.NewCommand(linux.CommandOptions{
+			Cwd:     cwd,
+			Shell:   "/bin/sh",
+			Command: "gosec",
+			Args: []string{
+				"-r", "-no-fail", "-fmt", "sarif", "-out", "output.sarif", "./...",
+			},
+		})
+		if err != nil {
+			log.Fatalln(err)
+		}
+
+		if err := gosecCmd.Run(); err != nil {
+			log.Fatalln(err)
+		}
 
 		report, err := sarif.Open("output.sarif")
 		if err != nil {
diff --git a/entrypoint.sh b/entrypoint.sh
index 306d61f..88bb81c 100644
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -1,5 +1,5 @@
 #!/bin/sh
 
 curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s -- -b /usr/local/bin
-gosec -r -no-fail -fmt sarif -out output.sarif "$PWD"
+# gosec -r -no-fail -fmt sarif -out output.sarif "$PWD"
 /goscan --is-action
\ No newline at end of file
diff --git a/go.mod b/go.mod
index 7fa774b..9405f0b 100644
--- a/go.mod
+++ b/go.mod
@@ -13,6 +13,7 @@ require (
 require (
 	codeberg.org/mvdkleijn/forgejo-sdk/forgejo v1.1.1 // indirect
 	dario.cat/mergo v1.0.0 // indirect
+	git.eggactyl.cloud/Eggactyl/shell v0.0.0-20240824225129-2ced31effd66 // indirect
 	github.com/Microsoft/go-winio v0.6.1 // indirect
 	github.com/ProtonMail/go-crypto v1.0.0 // indirect
 	github.com/cloudflare/circl v1.3.7 // indirect
@@ -58,7 +59,7 @@ require (
 	golang.org/x/exp v0.0.0-20230905200255-921286631fa9 // indirect
 	golang.org/x/mod v0.12.0 // indirect
 	golang.org/x/net v0.23.0 // indirect
-	golang.org/x/sys v0.19.0 // indirect
+	golang.org/x/sys v0.22.0 // indirect
 	golang.org/x/text v0.14.0 // indirect
 	golang.org/x/tools v0.13.0 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
diff --git a/go.sum b/go.sum
index 9935ed5..79ea965 100644
--- a/go.sum
+++ b/go.sum
@@ -2,6 +2,8 @@ codeberg.org/mvdkleijn/forgejo-sdk/forgejo v1.1.1 h1:WEI3FZdoQjaiaR15TRmyGfY091R
 codeberg.org/mvdkleijn/forgejo-sdk/forgejo v1.1.1/go.mod h1:09wAYX9H0+wBo1baX9DdSqdfreZc6ji5aELsnu9m14M=
 dario.cat/mergo v1.0.0 h1:AGCNq9Evsj31mOgNPcLyXc+4PNABt905YmuqPYYpBWk=
 dario.cat/mergo v1.0.0/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
+git.eggactyl.cloud/Eggactyl/shell v0.0.0-20240824225129-2ced31effd66 h1:nKQ5M7/Ugn536WbH07f6NZGKy+4z04i7KoAwUU8Ibaw=
+git.eggactyl.cloud/Eggactyl/shell v0.0.0-20240824225129-2ced31effd66/go.mod h1:/QCc50YmA6jiIzIafuDiRJXhZyNu0wKLlgeUMPv5S68=
 github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY=
 github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow=
 github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM=
@@ -180,6 +182,7 @@ golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4=
 golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o=
 golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=