Pin scanner version in gosec analyzer
Problem to solve
Our gosec analyzer installs the Scanner's binary when building the docker image without specifying which version. By doing this we may download a newer version of the scanner that could break the compatibility with our analyzer.
We must install a specific version instead, and update it periodically.
Target audience
Developer, various Security roles.
Further details
Proposal
Update the analyzer to leverage other installation methods of the Scanner that allows to specify a version number.
What does success look like, and how can we measure that?
The same version of gosec is installed until we bump it manually.
Links / references
Edited by Olivier Gonzalez