Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,8 @@
/goenv
goenv-*
*.exe
coverage.out
*.out

// No docs at root
/*.md
Expand All @@ -25,3 +27,7 @@ scripts/swap/swap
# Snyk Security Extension - AI Rules (auto-generated)
.github/instructions/snyk_rules.instructions.md
cmd/aliases/.go-version

sbom*.json

.goenv/*
86 changes: 86 additions & 0 deletions .goenv-policy.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,86 @@
# yaml-language-server: $schema=./schemas/policy-schema.json
# goenv SBOM Policy Configuration
# Version: 1.0
# Description: Example policy for validating Go project SBOMs

version: "1"

# Policy options
options:
fail_on_error: true
fail_on_warning: false
verbose: false

# Validation rules
rules:
# Supply Chain Security Rules
- name: no-local-replaces
type: supply-chain
severity: error
description: Prevent local path replace directives that bypass checksum verification
check: replace-directives
blocked:
- local-path

- name: no-vendoring
type: supply-chain
severity: warning
description: Discourage vendored dependencies (optional - adjust per org policy)
check: vendoring-status
blocked:
- vendored

# Security Rules
- name: block-retracted-versions
type: security
severity: error
description: Prevent use of retracted module versions
check: retracted-versions

- name: require-cgo-disabled
type: security
severity: warning
description: Recommend disabling CGO for reduced attack surface
check: cgo-disabled
required:
- "false"

# Completeness Rules
- name: require-stdlib-component
type: completeness
severity: warning
description: Ensure standard library component is included in SBOM
check: required-components
required:
- golang-stdlib

- name: require-goenv-metadata
type: completeness
severity: info
description: Ensure Go-aware metadata is present
check: required-metadata
required:
- goenv:go_version
- goenv:platform
- goenv:build_context.goos
- goenv:build_context.goarch

# License Compliance Rules
- name: block-gpl-licenses
type: license
severity: error
description: Block copyleft licenses (adjust per org policy)
check: license-compliance
blocked:
- GPL-2.0
- GPL-3.0
- AGPL-3.0

- name: warn-lgpl-licenses
type: license
severity: warning
description: Warn on LGPL licenses requiring disclosure
check: license-compliance
blocked:
- LGPL-2.1
- LGPL-3.0
15 changes: 14 additions & 1 deletion .vscode/settings.json
Original file line number Diff line number Diff line change
Expand Up @@ -3,5 +3,18 @@
"makefile.configureOnOpen": false,
"go.toolsGopath": "${env:HOME}/go/tools",
"go.goroot": "${env:HOME}/.goenv/versions/1.23.2",
"go.gopath": "${env:HOME}/go/1.23.2"
"go.gopath": "${env:HOME}/go/1.23.2",
"yaml.schemas": {
"https://json.schemastore.org/github-workflow.json": ".github/workflows/*.yml",
"https://json.schemastore.org/github-action.json": ".github/actions/*/action.yml"
},
"yaml.customTags": [
"!Policy scalar"
],
"yaml.validate": true,
"files.associations": {
"*-policy.yaml": "yaml",
".goenv-policy.yaml": "yaml",
"examples/policies/*.yaml": "yaml"
}
}
6 changes: 6 additions & 0 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,9 @@ build:

build-swap:: build swap

# alias for build-swap
bs: build-swap

test:
unset GOENV_DEBUG && go run scripts/build-tool/main.go -task=test

Expand Down Expand Up @@ -74,5 +77,8 @@ release:
snapshot:
go run scripts/build-tool/main.go -task=snapshot

restore:
go run ./scripts/swap/main.go bash

swap:
go run ./scripts/swap/main.go go
Loading