From fcac8b12398f1fd9ed3b44c039816fff4bc50bfd Mon Sep 17 00:00:00 2001 From: "Robin H. Johnson" Date: Mon, 29 Dec 2025 10:05:57 -0800 Subject: [PATCH] build: exclude go caches from gosec Without tuning, gosec scans all of the vendor/gocache/gomodcache, taking several minutes (3m35 here), whereas the core of the yq takes only 15 seconds to scan. If we intend to remediate upstream issues in future; add a seperate target to scan those. Signed-off-by: Robin H. Johnson --- project-words.txt | 1 + scripts/secure.sh | 14 ++++++++------ 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/project-words.txt b/project-words.txt index a7f5b54c..759f0dd5 100644 --- a/project-words.txt +++ b/project-words.txt @@ -292,3 +292,4 @@ nokyaml buildvcs behaviour GOFLAGS +gocache diff --git a/scripts/secure.sh b/scripts/secure.sh index 956961dc..11df0749 100755 --- a/scripts/secure.sh +++ b/scripts/secure.sh @@ -3,9 +3,11 @@ set -o errexit set -o pipefail -if command -v gosec &> /dev/null -then - gosec "${PWD}" ./... -else - ./bin/gosec "${PWD}" ./... -fi \ No newline at end of file +OPTS=( + -exclude-dir=vendor + -exclude-dir=.gomodcache + -exclude-dir=.gocache +) + +command -v gosec &> /dev/null && BIN=gosec || BIN=./bin/gosec +"${BIN}" "${OPTS[@]}" "${PWD}" ./...