build: exclude go caches from gosec

Without tuning, gosec scans all of the vendor/gocache/gomodcache, taking
several minutes (3m35 here), whereas the core of the yq takes only 15
seconds to scan.

If we intend to remediate upstream issues in future; add a seperate
target to scan those.

Signed-off-by: Robin H. Johnson <rjohnson@coreweave.com>
This commit is contained in:
Robin H. Johnson 2025-12-29 10:05:57 -08:00
parent b79afe1d2f
commit fcac8b1239
No known key found for this signature in database
GPG Key ID: 19395F23C58826C4
2 changed files with 9 additions and 6 deletions

View File

@ -292,3 +292,4 @@ nokyaml
buildvcs
behaviour
GOFLAGS
gocache

View File

@ -3,9 +3,11 @@
set -o errexit
set -o pipefail
if command -v gosec &> /dev/null
then
gosec "${PWD}" ./...
else
./bin/gosec "${PWD}" ./...
fi
OPTS=(
-exclude-dir=vendor
-exclude-dir=.gomodcache
-exclude-dir=.gocache
)
command -v gosec &> /dev/null && BIN=gosec || BIN=./bin/gosec
"${BIN}" "${OPTS[@]}" "${PWD}" ./...