securego/gosec

GitHub action `v2.21.2` uses ` securego/gosec:2.21.1`docker image with broken SARIF output

Closed this issue · 5 comments

nickeskov commented

Summary

Problem described in #1214 still appears. GitHub action v2.21.2 still uses securego/gosec:2.21.1 docker image. The error with SARIF upload is the same.

UPD: securego/gosec@master action uses docker image v2.21.2, though issue with SARIF output still exists. (link to workflow run)

Steps to reproduce the behavior

Use securego/gosec:2.21.2 GitHub action against any repository with SARIF output upload to GitHub Advanced Security Dashboard.

gosec version

GitHub action securego/gosec@v2.21.2.

Go version (output of 'go version')

No go setup has been performed.

Operating system / Environment

ubuntu-latest default GitHub runner.

Expected behavior

GitHub action pulls securego/gosec:2.21.2 image.

Actual behavior

GitHub action pulls securego/gosec:2.21.1 image with broken SARIF output.

ccojocar commented

Action was updated to 2.21.2

gosec/action.yml

Line 13 in 5f3194b

image: 'docker://securego/gosec:2.21.2'
.

Also the sarif output was successfully uploaded in Github. See the output of https://github.com/securego/gosec/actions/runs/10775152002/job/29878917216

nickeskov commented

@ccojocar Workflow uses securego/gosec@master, see line 18.

alexeykiselev commented

Hi @ccojocar,
I kindly ask if you could consider reopening the issue, as it seems there might be an inconsistency with tag 2.21.2 of securego/gosec.

Also the sarif output was successfully uploaded in Github. See the output of https://github.com/securego/gosec/actions/runs/10775152002/job/29878917216

In your run, it appears that securego/gosec is using the master branch, see line 33 of the output https://github.com/securego/gosec/actions/runs/10775152002/job/29878917216#step:1:37.

On our side, we're using the tag v2.21.2, which seems to be pulling a previous version of the Docker image. Please, see line 33 from our run: https://github.com/wavesplatform/gowaves/actions/runs/10812421492/job/29994022318?pr=1492#step:1:37

I understand this issue was previously closed, but I would greatly appreciate it if you could take another look.

Thank you for your time and consideration!

  • 👍1
nickeskov commented

as it seems there might be an inconsistency with tag 2.21.2 of securego/gosec.

I've noticed that the tag 2.21.2 is linked to commit abfe8cf, though the action update was made in the next commit 5f3194b, which is the HEAD of the master branch.

  • 👍1
ccojocar commented

Workflow uses securego/gosec@master, see line 18.

It is the action version from the master branch, but inside of that action is using gosec version 2.21.2 as I pointed above.