Merge pull request #98 from EasyPost/gosec

feat: adds gosec to project
EasyPost · Jul 11, 2022 · 8e1aaac · 8e1aaac
2 parents 82820d3 + 4fd3a16
commit 8e1aaac
Show file tree

Hide file tree

Showing 6 changed files with 28 additions and 12 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -25,7 +25,11 @@ jobs:
         uses: actions/setup-go@v3
         with:
           go-version: ${{ matrix.go-version }}
-      - name: build
-        run: make build
+      - name: install
+        run: make install
       - name: run tests
         run: EASYPOST_TEST_API_KEY=123 EASYPOST_PROD_API_KEY=123 make test
+      - name: Run Gosec
+        uses: securego/gosec@master
+        with:
+          args: ./...
diff --git a/Makefile b/Makefile
@@ -19,8 +19,13 @@ clean:
 coverage: 
 	go clean -testcache && go test ./tests -coverprofile=covprofile -coverpkg=./... && go tool cover -html=covprofile
 
-## install - Install globally from source
+## gosec - Run gosec to scan for security issues
+gosec:
+	gosec ./...
+
+## install - Install and vendor dependencies
 install:
+	go mod vendor
 	go build -o $(PROJECT_PATH)
 
 ## lint - Lint the project
@@ -31,4 +36,8 @@ lint:
 test:
 	go clean -testcache && go test ./tests
 
-.PHONY: help build clean coverage install lint test
+## tidy - Tidies up the vendor directory
+tidy:
+	go mod tidy
+
+.PHONY: help build clean coverage gosec install lint test tidy
diff --git a/README.md b/README.md
@@ -122,8 +122,11 @@ EASYPOST_TEST_API_KEY=123... EASYPOST_PROD_API_KEY=123... make test
 # Generate test coverage
 EASYPOST_TEST_API_KEY=123... EASYPOST_PROD_API_KEY=123... make coverage
 
-# Lint project (requires golangci-lint to be installed)
+# Lint project (requires `golangci-lint` to be installed - not included)
 make lint
+
+# Run security analysis on the project (requires `gosec` to be installed - not included)
+make gosec
 ```
 
 ### Testing

diff --git a/examples/events/retrieve_all/retrieve_events.go b/examples/events/retrieve_all/retrieve_events.go
@@ -29,14 +29,14 @@ func main() {
 	for results.HasMore && err == nil {
 		if results, err = client.ListEvents(opts); err == nil {
 			for i := range results.Events {
-				enc.Encode(results.Events[i])
+				_ = enc.Encode(results.Events[i])
 				// If a webhook is registered, payloads can be examined to
 				// obtain the event result.
 				payloads, _ := client.ListEventPayloads(results.Events[i].ID)
 				if len(payloads) != 0 {
 					event, _ := payloads[0].RequestBody.(*easypost.Event)
 					if event != nil {
-						enc.Encode(event.Result)
+						_ = enc.Encode(event.Result)
 					}
 				}
 			}

diff --git a/go.mod b/go.mod
@@ -5,5 +5,5 @@ go 1.15
 require (
 	github.com/dnaeon/go-vcr v1.2.0
 	github.com/google/go-querystring v1.1.0
-	github.com/stretchr/testify v1.7.0
+	github.com/stretchr/testify v1.7.2
 )
diff --git a/go.sum b/go.sum
@@ -10,13 +10,13 @@ github.com/modocache/gover v0.0.0-20171022184752-b58185e213c5/go.mod h1:caMODM3P
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
-github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.7.2 h1:4jaiDzPyXQvSd7D0EjG45355tLlV3VOECpq10pLC+8s=
+github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
-gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=