Go Backend Clean Architecture with DevSecOps best practices

This project is a fork of the Go Backend Clean Architecture developed by Amit Shekhar.

The goal is to demonstrate the best practices to maintain automatically a GO project with tools like Renovate (fix dependency vulnerabilities), pre-commit, semantic release (versioning, changelog generation, etc.), GitHub Runner hardening, and other useful DevSecOps tools.

Security & automation best practices

This repository is intentionally configured with a security-focused CI/CD pipeline and automation defaults.

• Dependency updates (Renovate)

  • Automated dependency update PRs with a dependency dashboard and security labeling.
  • Config: .github/renovate.json.

• Reproducible builds & tests (Bazel)

  • CI builds and runs tests via Bazel for consistent, hermetic-ish builds.
  • Workflows use Bazel caching to speed up CI.
  • Workflows: .github/workflows/build.yml, .github/workflows/codeql-analysis.yml.

• Code quality gates (SonarCloud)

  • Quality gate, coverage ingestion, and maintainability/security metrics.
  • Coverage is generated as coverage.out and uploaded between jobs.
  • Config: sonar-project.properties.
  • Workflow: .github/workflows/build.yml (job code-quality).

• SAST / vulnerability scanning (SCAN)

  • Static application security testing is run in CI and can annotate pull requests.
  • Workflow: .github/workflows/build.yml (job code-security).

• Code scanning (GitHub CodeQL)

  • Scheduled and PR-based CodeQL analysis with results uploaded to GitHub code scanning.
  • Workflow: .github/workflows/codeql-analysis.yml.

• Supply-chain / repo hygiene (OpenSSF Scorecard)

  • Periodic and branch-protection-triggered Scorecard runs, uploaded as SARIF.
  • Workflow: .github/workflows/scorecard.yml.

• PR feedback automation (Reviewdog: Staticcheck + Hadolint)

  • Go linting via staticcheck and Dockerfile linting via hadolint, reported directly on PRs.
  • Workflow: .github/workflows/code-review.yml.

• GitHub Actions hardening (Harden Runner)

  • Workflows use step-security/harden-runner to reduce or audit outbound network access.
  • Workflows: .github/workflows/build.yml, .github/workflows/code-review.yml.

• Release automation (semantic-release)

  • Automated versioning and release preparation on main.
  • Workflow: .github/workflows/build.yml (job pre-release).

Makefile commands

Common local commands for contributors:

• Install local tooling & git hooks (macOS)

  • make onboarding
  • Installs required tools via Homebrew (including pre-commit, hadolint, checkov, gosec, bazelisk) and sets up git hooks.

• Build

  • make build
  • Runs bazel-build and docker-build.

• Build (Bazel)

  • make bazel-build
  • Builds //cmd:main with Bazel.

• Test (Bazel)

  • make test (alias of make bazel-test)
  • Runs the full Bazel test suite.

• Coverage (Go)

  • make coverage
  • Generates coverage.out (used by SonarCloud).

• Update Bazel BUILD files (Gazelle)

  • make gazelle
  • Runs Gazelle to keep Bazel build files in sync.

• Docker build

  • make docker-build
  • Builds Docker images via docker-compose.

• Run all pre-commit checks

  • make code-check
  • Runs pre-commit hooks against all files.

Details on the project used to demonstrate the DevSecOps best practices

A Go (Golang) Backend Clean Architecture project with Gin, MongoDB, JWT Authentication Middleware, Test, and Docker.

More details can be found on the following GitHub repository: go-backend-clean-architecture