Skip to content
This repository has been archived by the owner on May 21, 2023. It is now read-only.

Commit

Permalink
Improve readme
Browse files Browse the repository at this point in the history
  • Loading branch information
@cugu
cugu committed Jan 11, 2022
1 parent 4fda72b commit 79afc19
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 4 deletions.
8 changes: 5 additions & 3 deletions .github/workflows/ci.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ jobs:
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [ macos-latest, ubuntu-latest ] # windows-latest,
os: [ macos-latest, ubuntu-latest ] # windows-latest,
steps:
- name: Setup go 1.17
uses: actions/setup-go@v2
Expand All @@ -22,9 +22,11 @@ jobs:
uses: actions/checkout@v2
- name: Download dependencies
run: go mod download
- name: Install
run: go install .

- name: Capabilities
run: go run . check .
- name: Check Capabilities
run: gocap check .

- name: golangci-lint
uses: golangci/golangci-lint-action@v2
Expand Down
11 changes: 10 additions & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ attack surface besides stealing your CPU cycles.

Implementing the approach above would require changes to Go itself. So I came up with another, simpler approach: GoCap.
GoCap can check and validate the source code of dependencies for their capabilities and is ment to be included into the
testing phase of the build process. This way GoCap can to at least pin the capabilities of dependencies.
testing phase of the build process. This way GoCap can at least pin the capabilities of dependencies.

GoCap provides simple capability checking for Go using a `go.cap` file. The
`go.cap` files lists all package dependencies that require critical permissions like file access, execution rights or
Expand All @@ -60,6 +60,14 @@ github.com/alecthomas/kong (file, syscall)
github.com/pkg/errors (runtime)
```

### Install GoCap

You can [download a release](https://github.com/cugu/gocap/releases) or run

```shell
go install github.com/cugu/gocap@v0.1.0
```

### gocap generate

`gocap generate <path>` prints a valid `go.cap` file. It lists all dependency packages that require critical permissions
Expand All @@ -84,6 +92,7 @@ github.com/pkg/errors (runtime)

`gocap check <path>` compares a local `go.cap` file with the actual required capabilities by dependency packages. Any
missmatch results in a non-zero exit code, so you can use GoCap check in your CI pipelines.
See [ci.yml](https://github.com/cugu/gocap/blob/main/.github/workflows/ci.yml#L28) for a working example.

*Example*

Expand Down

0 comments on commit 79afc19

Please sign in to comment.