A Buildkite plugin for using Sonatype's community Nancy dependency checker for Go.
This plugin is authored separately to Nancy, and is in no way connected to or affiliated with Sonatype.
This plugin uses a Go image to extract the dependency list for the current project, and passes that output through Nancy. The build fails if Nancy indicates that vulnerable dependencies are found.
Note that if Nancy configuration is committed to the repository, it will be respected by default.
Add the following to your pipeline.yml
:
steps:
- plugins:
- cultureamp/sonatype-nancy#v1.0.0
Optionally, a specific Go version or a working directory can be supplied:
steps:
- plugins:
- cultureamp/sonatype-nancy#v1.0.0:
go-version: '1.17'
working-directory: 'src'
The version of the Go Docker image to use. By default, '1-alpine' will be used,
and '-alpine' will be appended to the image unless a specific runtime is
supplied. For example, the version 1.17
will result in the use of the
1.17-alpine
image.
To use a different base, specify the complete tag name, e.g. 1.17-bullseye
.
The working directory to use when discovering dependencies and Nancy configuration. By default this is the root of the repository.
To run the tests:
docker-compose run --rm tests
- Fork the repo
- Make the changes
- Run the tests
- Commit and push your changes
- Send a pull request