security push

- addressing gosec issues - adding workflow docs - go version bump
2025-04-24 12:23:07 -04:00 · 2025-04-24 12:23:07 -04:00 · b414b269ac
commit b414b269ac
parent 13d3b2cef3
6 changed files with 26 additions and 9 deletions
--- a/.gitea/workflows/security.yaml
+++ b/.gitea/workflows/security.yaml
@ -0,0 +1,8 @@
+name: "security scans"
+on: push
+
+jobs:
+  scans:
+    runs-on: smoke-test
+    steps:
+      uses: https://code.jakeyoungdev.com/actions/security@master #update this to a tag after first successful run
--- a/cmd/config.go
+++ b/cmd/config.go
@ -48,7 +48,8 @@ var configCmd = &cobra.Command{
 		viper.Set("server", cfgserver)
 		viper.Set("password", string(ciphert))
 		viper.Set("port", cfgport)
-		viper.WriteConfig()
+		err = viper.WriteConfig()
+		cobra.CheckErr(err)
 		fmt.Println()
 		fmt.Println("Config file updated!")
 	},
@ -57,9 +58,11 @@ var configCmd = &cobra.Command{
 func init() {
 	initConfig()
 	configCmd.Flags().StringVarP(&cfgserver, "server", "s", "", "server address")
-	configCmd.MarkFlagRequired("server")
+	err := configCmd.MarkFlagRequired("server")
+	cobra.CheckErr(err)
 	configCmd.Flags().IntVarP(&cfgport, "port", "p", 0, "server rcon port")
-	configCmd.MarkFlagRequired("port")
+	err = configCmd.MarkFlagRequired("port")
+	cobra.CheckErr(err)
 	rootCmd.AddCommand(configCmd)
 }

@ -72,7 +75,8 @@ func initConfig() {
 	viper.SetConfigType("yaml")
 	viper.SetConfigName(".mctl")
 	viper.AutomaticEnv()
-	viper.ReadInConfig()
+	err = viper.ReadInConfig()
+	cobra.CheckErr(err)

 	if err := viper.ReadInConfig(); err != nil {
 		//file does not exist, create it
@ -92,6 +96,6 @@ func initConfig() {
 		//write config
 		viper.Set("customcmd", cmdMap)
 		viper.Set("device", string(uu))
-		viper.SafeWriteConfig()
+		cobra.CheckErr(viper.SafeWriteConfig())
 	}
 }
--- a/cmd/delete.go
+++ b/cmd/delete.go
@ -21,7 +21,8 @@ var deleteCmd = &cobra.Command{
 			cmdMap := viper.Get("customcmd").(map[string]any)
 			delete(cmdMap, args[0])
 			viper.Set("customcmd", cmdMap)
-			viper.WriteConfig()
+			err := viper.WriteConfig()
+			cobra.CheckErr(err)
 		}
 	},
 	PreRunE: func(cmd *cobra.Command, args []string) error {
--- a/cmd/save.go
+++ b/cmd/save.go
@ -36,7 +36,8 @@ var saveCmd = &cobra.Command{
 				}
 				cmdMap[args[0]] = txt
 				viper.Set("customcmd", cmdMap)
-				viper.WriteConfig()
+				err := viper.WriteConfig()
+				cobra.CheckErr(err)
 				fmt.Println("\nSaved!")
 			}
 		}
--- a/cryptography/aes.go
+++ b/cryptography/aes.go
@ -21,7 +21,10 @@ func EncryptPassword(b []byte) ([]byte, error) {
 		return nil, err
 	}

-	ct := aesg.Seal(nil, []byte(nonce), []byte(b), nil)
+	//adding #nosec here since gosec interprets this as a hardcoded nonce when in reality it is securely generated
+	//using crypto/rand when running the config command. Here is is pulled from memory and is not a hardcoded nonce
+	//as gosec thinks, will remove this skip once the issue is addressed from gosec
+	ct := aesg.Seal(nil, []byte(nonce), []byte(b), nil) // #nosec
 	return ct, nil
 }

--- a/go.mod
+++ b/go.mod
@ -1,6 +1,6 @@
 module code.jakeyoungdev.com/jake/mctl

-go 1.24.0
+go 1.24.2

 require (
 	github.com/jake-young-dev/mcr v1.3.1