gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 16:21:30 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
69a2b5c55aabf7927ddf1acd43a90aecacd3b210
certctl/scripts/ci-guards/L-001-insecure-skip-verify.sh
T
shankar0123 5ea8fb48eb ci: restore +x bit on scripts/ci-guards/*.sh (sandbox stripped exec bit) 
Pure mode-change commit. The previous 3275f9f commit dropped the
executable bit (100755 → 100644) on five files in scripts/ci-guards/
plus scripts/qa-doc-seed-count.sh and scripts/dev-setup.sh — a
sandbox-tooling artefact, not intentional. The CI pipeline calls
each guard via 'bash "$g"' so the missing exec bit didn't break
anything operationally, but operators who run a guard directly via
'./scripts/ci-guards/<id>.sh' would hit a permission-denied. Restore
to 100755 to match the rest of scripts/ci-guards/*.sh.

No content changes.
2026-05-05 04:56:43 +00:00

39 lines
1.5 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
# scripts/ci-guards/L-001-insecure-skip-verify.sh
#
# L-001 audited every production InsecureSkipVerify=true call site
# and documented the justification per site in docs/operator/tls.md. This
# script grep-fails the build if any new `InsecureSkipVerify: true`
# lands in a non-test Go file without a `//nolint:gosec` comment
# carrying the justification. Test files (_test.go) are exempt.
# Updating the documented surface goes through the docs/operator/tls.md
# table — net-new sites must be reasoned about before merge.
set -e
# Find every "InsecureSkipVerify: true" or "InsecureSkipVerify = true"
# in a non-test .go file. Then for each, check the same line OR the
# immediately preceding line for `//nolint:gosec`.
BAD=""
while IFS= read -r match; do
file=$(echo "$match" | cut -d: -f1)
line=$(echo "$match" | cut -d: -f2)
same=$(sed -n "${line}p" "$file" 2>/dev/null)
prev=$(sed -n "$((line - 1))p" "$file" 2>/dev/null)
if echo "$same $prev" | grep -q 'nolint:gosec'; then
continue
fi
BAD="$BAD\n$match"
done < <(grep -rnE 'InsecureSkipVerify:\s*true|InsecureSkipVerify\s*=\s*true' \
--include='*.go' \
--exclude='*_test.go' \
. || true)
if [ -n "$BAD" ]; then
echo "::error::L-001 regression: new InsecureSkipVerify=true site without //nolint:gosec justification:"
echo -e "$BAD"
echo ""
echo "Add a //nolint:gosec comment with justification on the same"
echo "or preceding line, AND add a row to the docs/operator/tls.md table."
exit 1
fi
echo "L-001 insecure-skip-verify: clean."
Reference in New Issue View Git Blame Copy Permalink