Add Security Scanners

.github/workflows/secure.yml

@@ -0,0 +1,73 @@
+name: Secure
+
+on: push
+
+jobs:
+  # Sample GitHub Actions:
+  # https://semgrep.dev/docs/semgrep-ci/sample-ci-configs#sample-github-actions-configuration-file
+  #
+  # CLI Reference:
+  # https://semgrep.dev/docs/cli-reference
+  semgrep:
+    runs-on: ubuntu-24.04
+    container:
+      image: semgrep/semgrep
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - uses: actions/checkout@v4
+      - run: semgrep scan --sarif --output=semgrep.sarif --error --severity=WARNING
+        env:
+          SEMGREP_RULES: >-
+            p/command-injection
+            p/comment
+            p/cwe-top-25
+            p/default
+            p/gitlab
+            p/gitleaks
+            p/golang
+            p/gosec
+            p/insecure-transport
+            p/owasp-top-ten
+            p/r2c-best-practices
+            p/r2c-bug-scan
+            p/r2c-security-audit
+            p/secrets
+            p/security-audit
+            p/sql-injection
+            p/xss
+      - uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: semgrep.sarif
+        if: always()
+
+  # Samples GitHub Actions:
+  # https://github.com/aquasecurity/trivy-action
+  trivy:
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - uses: actions/checkout@v4
+      - uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: fs
+          format: sarif
+          output: trivy.sarif
+          exit-code: 1
+          severity: MEDIUM,CRITICAL,HIGH
+      - uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: trivy.sarif
+        if: always()
+
+  # Samples GitHub Actions:
+  # https://github.com/golang/govulncheck-action
+  govulncheck:
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: golang/govulncheck-action@v1
+        with:
+          go-version-file: go.mod

.github/workflows/verify.yml

@@ -0,0 +1,36 @@
+name: Verify
+
+on: push
+
+jobs:
+  tests:
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version: '1.21'
+      - run: go test -v ./...
+
+  golangci-lint:
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version: '1.21'
+      - uses: golangci/golangci-lint-action@v6
+        with:
+          version: v1.53.3
+          install-mode: goinstall
+          working-directory: selvpcclient
+
+  tidy:
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version: '1.21'
+      - run: go mod tidy -v
+      - run: git diff --exit-code

.golangci.yml

@@ -5,7 +5,6 @@ linters:
   fast: false
   enable:
     - asciicheck
-    - deadcode
     - depguard
     - dogsled
     - errcheck
@@ -21,29 +20,23 @@ linters:
     - gofumpt
     - goheader
     - goimports
-    - golint
     - gomodguard
     - goprintffuncname
     - gosimple
     - govet
     - ineffassign
-    - interfacer
-    - maligned
     - misspell
     - nakedret
     - noctx
     - nolintlint
     - prealloc
     - rowserrcheck
-    - scopelint
     - sqlclosecheck
     - staticcheck
-    - structcheck
     - stylecheck
     - typecheck
     - unconvert
     - unused
-    - varcheck
     - whitespace
 
 linters-settings:

go.mod

@@ -1,8 +1,8 @@
 module github.com/selectel/go-selvpcclient/v3
 
-go 1.20
+go 1.21
 
 require (
 	github.com/google/go-querystring v1.1.0
-	github.com/gophercloud/gophercloud v1.5.0
+	github.com/gophercloud/gophercloud v1.12.0
 )

go.sum

@@ -2,8 +2,8 @@ github.com/google/go-cmp v0.5.2 h1:X2ev0eStA3AbceY54o37/0PQ/UWqKEiiO2dKL5OPaFM=
 github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=
 github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
-github.com/gophercloud/gophercloud v1.5.0 h1:cDN6XFCLKiiqvYpjQLq9AiM7RDRbIC9450WpPH+yvXo=
-github.com/gophercloud/gophercloud v1.5.0/go.mod h1:aAVqcocTSXh2vYFZ1JTvx4EQmfgzxRcNupUfxZbBNDM=
+github.com/gophercloud/gophercloud v1.12.0 h1:Jrz16vPAL93l80q16fp8NplrTCp93y7rZh2P3Q4Yq7g=
+github.com/gophercloud/gophercloud v1.12.0/go.mod h1:aAVqcocTSXh2vYFZ1JTvx4EQmfgzxRcNupUfxZbBNDM=
 golang.org/x/crypto v0.0.0-20220829220503-c86fa9a7ed90/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=

selvpcclient/testutils/handlers.go

@@ -2,7 +2,7 @@ package testutils
 
 import (
 	"encoding/json"
-	"fmt"
+	"html/template"
 	"io"
 	"net/http"
 	"reflect"
@@ -41,7 +41,16 @@ func HandleReqWithoutBody(t *testing.T, opts *HandleReqOpts) {
 	opts.Mux.HandleFunc(opts.URL, func(w http.ResponseWriter, r *http.Request) {
 		w.Header().Add("Content-Type", "application/json")
 		w.WriteHeader(opts.Status)
-		fmt.Fprint(w, opts.RawResponse)
+
+		tpl, err := template.New("template").Parse(opts.RawResponse)
+		if err != nil {
+			t.Fatalf("unable to parse template: %v", err)
+		}
+
+		err = tpl.Execute(w, nil)
+		if err != nil {
+			t.Fatalf("unable to write response: %v", err)
+		}
 
 		if r.Method != opts.Method {
 			t.Fatalf("expected %s method but got %s", opts.Method, r.Method)
@@ -91,7 +100,16 @@ func HandleReqWithBody(t *testing.T, opts *HandleReqOpts) {
 
 		w.Header().Add("Content-Type", "application/json")
 		w.WriteHeader(opts.Status)
-		fmt.Fprint(w, opts.RawResponse)
+
+		tpl, err := template.New("template").Parse(opts.RawResponse)
+		if err != nil {
+			t.Fatalf("unable to parse template: %v", err)
+		}
+
+		err = tpl.Execute(w, nil)
+		if err != nil {
+			t.Fatalf("unable to write response: %v", err)
+		}
 
 		var expectedRequest interface{}
 		err = json.Unmarshal([]byte(opts.RawRequest), &expectedRequest)