Read the AI API key also from an environment variable (#1181)

* Read the AI API key also from an environment variable

Change-Id: If18fd025ab2ef68a3690f8a69d1c8894e44a87ef
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>

* Fix lint warning

Change-Id: Icd3eb8a029764db76596c3e171275c03a23f8cef
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>

---------

Signed-off-by: Cosmin Cojocar <ccojocar@google.com>

Author: ccojocar

README.md

@@ -279,7 +279,8 @@ gosec can suggest fixes based on AI recommendation. It will call an AI API to re
 
 You can enable this feature by providing the following command line arguments:
 - `ai-api-provider`: the name of the AI API provider, currently only `gemini`is supported.
-- `ai-api-key`: the key to access the AI API, For gemini, you can create an API key following [these instructions](https://ai.google.dev/gemini-api/docs/api-key).
+- `ai-api-key` or set the environment variable `GOSEC_AI_API_KEY`: the key to access the AI API,
+For gemini, you can create an API key following [these instructions](https://ai.google.dev/gemini-api/docs/api-key).
 - `ai-endpoint`: the endpoint of the AI provider, this is optional argument.
 
 

cmd/gosec/main.go

@@ -59,6 +59,8 @@ USAGE:
 	$ gosec -exclude=G101 $GOPATH/src/github.com/example/project/...
 
 `
+	// Environment variable for AI API key.
+	aiApiKeyEnv = "GOSEC_AI_API_KEY" // #nosec G101
 )
 
 type arrayFlags []string
@@ -468,8 +470,12 @@ func main() {
 	reportInfo := gosec.NewReportInfo(issues, metrics, errors).WithVersion(Version)
 
 	// Call AI request to solve the issues
-	if *flagAiApiProvider != "" && *flagAiApiKey != "" {
-		err := autofix.GenerateSolution(*flagAiApiProvider, *flagAiApiKey, *flagAiEndpoint, issues)
+	aiApiKey := os.Getenv(aiApiKeyEnv)
+	if aiApiKeyEnv == "" {
+		aiApiKey = *flagAiApiKey
+	}
+	if *flagAiApiProvider != "" && aiApiKey != "" {
+		err := autofix.GenerateSolution(*flagAiApiProvider, aiApiKey, *flagAiEndpoint, issues)
 		if err != nil {
 			logger.Print(err)
 		}