Add Gosec Github Action (#9332)

* add gosec security scan

* add gosec ignores first batch

* more nosec for exec

* add filepath clean

* more nosec

* file inclusion nosec

* build

* herumi

Co-authored-by: prylabs-bulldozer[bot] <58059840+prylabs-bulldozer[bot]@users.noreply.github.com>

validator/accounts/accounts_import.go

@@ -199,7 +199,7 @@ func ImportAccountsCli(cliCtx *cli.Context) error {
 	var accountsPassword string
 	if cliCtx.IsSet(flags.AccountPasswordFileFlag.Name) {
 		passwordFilePath := cliCtx.String(flags.AccountPasswordFileFlag.Name)
-		data, err := ioutil.ReadFile(passwordFilePath)
+		data, err := ioutil.ReadFile(passwordFilePath) // #nosec G304
 		if err != nil {
 			return err
 		}
@@ -248,7 +248,7 @@ func importPrivateKeyAsAccount(cliCtx *cli.Context, wallet *wallet.Wallet, km *i
 	if !fileutil.FileExists(fullPath) {
 		return fmt.Errorf("file %s does not exist", fullPath)
 	}
-	privKeyHex, err := ioutil.ReadFile(fullPath)
+	privKeyHex, err := ioutil.ReadFile(fullPath) // #nosec G304
 	if err != nil {
 		return errors.Wrapf(err, "could not read private key file at path %s", fullPath)
 	}
@@ -288,7 +288,7 @@ func importPrivateKeyAsAccount(cliCtx *cli.Context, wallet *wallet.Wallet, km *i
 }
 
 func readKeystoreFile(_ context.Context, keystoreFilePath string) (*keymanager.Keystore, error) {
-	keystoreBytes, err := ioutil.ReadFile(keystoreFilePath)
+	keystoreBytes, err := ioutil.ReadFile(keystoreFilePath) // #nosec G304
 	if err != nil {
 		return nil, errors.Wrap(err, "could not read keystore file")
 	}

validator/accounts/wallet/wallet.go

@@ -117,7 +117,7 @@ func IsValid(walletDir string) (bool, error) {
 	if err != nil {
 		return false, err
 	}
-	f, err := os.Open(expanded)
+	f, err := os.Open(expanded) // #nosec G304
 	if err != nil {
 		if strings.Contains(err.Error(), "no such file") ||
 			strings.Contains(err.Error(), "cannot find the file") ||
@@ -373,7 +373,7 @@ func (w *Wallet) ReadKeymanagerConfigFromDisk(_ context.Context) (io.ReadCloser,
 		return nil, fmt.Errorf("no keymanager config file found at path: %s", w.accountsPath)
 	}
 	w.configFilePath = configFilePath
-	return os.Open(configFilePath)
+	return os.Open(configFilePath) // #nosec G304
 
 }
 
@@ -390,7 +390,7 @@ func (w *Wallet) WriteKeymanagerConfigToDisk(_ context.Context, encoded []byte)
 }
 
 func readKeymanagerKindFromWalletPath(walletPath string) (keymanager.Kind, error) {
-	walletItem, err := os.Open(walletPath)
+	walletItem, err := os.Open(walletPath) // #nosec G304
 	if err != nil {
 		return 0, err
 	}

validator/accounts/wallet_recover.go

@@ -22,11 +22,15 @@ import (
 )
 
 const (
-	phraseWordCount                 = 24
-	newMnemonicPassphraseYesNoText  = "(Advanced) Do you want to setup a '25th word' passphrase for your mnemonic? [y/n]"
+	phraseWordCount = 24
+	/* #nosec G101 */
+	newMnemonicPassphraseYesNoText = "(Advanced) Do you want to setup a '25th word' passphrase for your mnemonic? [y/n]"
+	/* #nosec G101 */
 	newMnemonicPassphrasePromptText = "(Advanced) Setup a passphrase '25th word' for your mnemonic " +
 		"(WARNING: You cannot recover your keys from your mnemonic if you forget this passphrase!)"
-	mnemonicPassphraseYesNoText  = "(Advanced) Do you have an optional '25th word' passphrase for your mnemonic? [y/n]"
+	/* #nosec G101 */
+	mnemonicPassphraseYesNoText = "(Advanced) Do you have an optional '25th word' passphrase for your mnemonic? [y/n]"
+	/* #nosec G101 */
 	mnemonicPassphrasePromptText = "(Advanced) Enter the '25th word' passphrase for your mnemonic"
 )
 
@@ -148,7 +152,7 @@ func RecoverWallet(ctx context.Context, cfg *RecoverWalletConfig) (*wallet.Walle
 func inputMnemonic(cliCtx *cli.Context) (mnemonicPhrase string, err error) {
 	if cliCtx.IsSet(flags.MnemonicFileFlag.Name) {
 		mnemonicFilePath := cliCtx.String(flags.MnemonicFileFlag.Name)
-		data, err := ioutil.ReadFile(mnemonicFilePath)
+		data, err := ioutil.ReadFile(mnemonicFilePath) // #nosec G304
 		if err != nil {
 			return "", err
 		}