ci: add govulncheck pr gate and nightly tests

Signed-off-by: Anish Ramasekar <[email protected]>
Azure · Apr 10, 2024 · d978a9d · d978a9d
1 parent d9fceaa
commit d978a9d
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 2 deletions.
diff --git a/.pipelines/nightly.yaml b/.pipelines/nightly.yaml
@@ -19,6 +19,13 @@ jobs:
       clean: all
     steps:
       - template: templates/scan-images.yaml
+  - job: govulncheck
+    timeoutInMinutes: 5
+    workspace:
+      clean: all
+    steps:
+    - script: make go-vuln-check
+      displayName: govulncheck
   - job: verify_deployment_yaml
     timeoutInMinutes: 30
     workspace:

diff --git a/.pipelines/pr.yaml b/.pipelines/pr.yaml
@@ -61,12 +61,20 @@ jobs:
     steps:
       - script: make shellcheck
         displayName: shellcheck
+  - job: govulncheck
+    timeoutInMinutes: 5
+    workspace:
+      clean: all
+    steps:
+      - script: make go-vuln-check
+        displayName: govulncheck
   - job:
     timeoutInMinutes: 60
     dependsOn:
     - lint
     - scan_images
     - shellcheck
+    - govulncheck
     workspace:
       clean: all
     variables:

diff --git a/Makefile b/Makefile
@@ -75,6 +75,10 @@ MOCKGEN_VER := v1.6.0
 MOCKGEN_BIN := mockgen
 MOCKGEN := $(TOOLS_BIN_DIR)/$(MOCKGEN_BIN)-$(MOCKGEN_VER)
 
+GOVULNCHECK_VER := v1.0.1
+GOVULNCHECK_BIN := govulncheck
+GOVULNCHECK := $(TOOLS_BIN_DIR)/$(GOVULNCHECK_BIN)-$(GOVULNCHECK_VER)
+
 # Scripts
 GO_INSTALL := ./hack/go-install.sh
 
@@ -156,12 +160,12 @@ all: manager
 
 # Build manager binary
 .PHONY: manager
-manager: generate fmt vet
+manager: generate fmt vet go-vuln-check
 	go build -a -ldflags $(LDFLAGS) -o bin/manager cmd/webhook/main.go
 
 # Build proxy binary
 .PHONY: proxy
-proxy: fmt vet
+proxy: fmt vet go-vuln-check
 	go build -a -ldflags $(LDFLAGS) -o bin/proxy cmd/proxy/main.go
 
 # Run against the configured Kubernetes cluster in ~/.kube/config
@@ -273,6 +277,9 @@ $(HELM):
 $(MOCKGEN): ## Build mockgen from tools folder.
 	GOBIN=$(TOOLS_BIN_DIR) $(GO_INSTALL) github.com/golang/mock/mockgen $(MOCKGEN_BIN) $(MOCKGEN_VER)
 
+$(GOVULNCHECK):
+	GOBIN=$(TOOLS_BIN_DIR) $(GO_INSTALL) golang.org/x/vuln/cmd/govulncheck $(GOVULNCHECK_BIN) $(GOVULNCHECK_VER)
+
 ## --------------------------------------
 ## E2E images
 ## --------------------------------------
@@ -303,6 +310,11 @@ vet:
 test: generate manifests
 	go test -v ./... -coverprofile cover.out
 
+# Run go vuln check
+.PHONY: go-vuln-check
+go-vuln-check: $(GOVULNCHECK)
+	$(GOVULNCHECK) ./...
+
 $(E2E_TEST):
 	(cd test/e2e && go test -tags=e2e -c . -o $(E2E_TEST))