fix(ci): 修复 gosec 扫描因 ent 生成代码导致超时的问题
【问题描述】 backend-security CI job 持续运行约 6 小时后被 GitHub Actions 强制取消, 表现为 'Run gosec' 步骤挂起,最终以 cancelled 状态结束。 【根本原因】 gosec 对 ./... 执行 AST 静态分析时,包含了 ent/ 目录下的 自动生成文件(如 mutation.go 共 24800 行),导致分析时间 超出 GitHub Actions 默认的 6 小时上限。 【修复方案】 1. gosec 命令增加 -exclude-dir=ent 跳过自动生成代码目录 2. backend-security job 增加 timeout-minutes: 15,避免未来 类似问题再次长时间卡死后才被发现 ent/ 目录内容全部由 Ent ORM 框架自动生成,开发者不直接编写, 不需要纳入人工安全审计范围,排除后不影响扫描有效性。
This commit is contained in:
wucm667
4
.github/workflows/security-scan.yml
vendored
4
.github/workflows/security-scan.yml
vendored
@@ -12,6 +12,7 @@ permissions:
|
|||||||
jobs:
|
jobs:
|
||||||
backend-security:
|
backend-security:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
timeout-minutes: 15
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v4
|
||||||
- name: Set up Go
|
- name: Set up Go
|
||||||
@@ -32,7 +33,8 @@ jobs:
|
|||||||
working-directory: backend
|
working-directory: backend
|
||||||
run: |
|
run: |
|
||||||
go install github.com/securego/gosec/v2/cmd/gosec@latest
|
go install github.com/securego/gosec/v2/cmd/gosec@latest
|
||||||
gosec -conf .gosec.json -severity high -confidence high ./...
|
# exclude ent/ — auto-generated ORM code, not subject to manual security review
|
||||||
|
gosec -conf .gosec.json -severity high -confidence high -exclude-dir=ent ./...
|
||||||
|
|
||||||
frontend-security:
|
frontend-security:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
|||||||
Reference in New Issue
Block a user