-
-
Notifications
You must be signed in to change notification settings - Fork 0
119 lines (101 loc) · 2.62 KB
/
Copy pathsecurity.yml
File metadata and controls
119 lines (101 loc) · 2.62 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
name: Security
on:
push:
branches: [master]
pull_request:
branches: [master]
schedule:
- cron: "0 6 * * 1"
permissions:
contents: read
security-events: write
pull-requests: write
jobs:
govulncheck:
name: govulncheck
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- name: Set up Go
uses: actions/setup-go@v6
with:
go-version: "1.26.3"
- name: Run govulncheck
run: |
go install golang.org/x/vuln/cmd/govulncheck@latest
govulncheck -show verbose ./...
gosec:
name: gosec
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- name: Set up Go
uses: actions/setup-go@v6
with:
go-version: "1.26.3"
- name: Run gosec
uses: securego/gosec@master
env:
GOTOOLCHAIN: auto
with:
args: "-no-fail -fmt=sarif -out=gosec.sarif -severity=medium -confidence=medium -exclude=G101,G115,G204,G304,G306,G401,G501 ./..."
- name: Upload SARIF
if: always() && hashFiles('gosec.sarif') != ''
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: gosec.sarif
category: gosec
trivy:
name: trivy
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- name: Trivy filesystem scan
uses: aquasecurity/trivy-action@master
with:
scan-type: fs
scan-ref: .
format: sarif
output: trivy.sarif
severity: CRITICAL,HIGH,MEDIUM
ignore-unfixed: true
exit-code: "0"
- name: Upload SARIF
if: always()
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: trivy.sarif
category: trivy
- name: Trivy config scan
uses: aquasecurity/trivy-action@master
with:
scan-type: config
scan-ref: .
format: table
severity: CRITICAL,HIGH
exit-code: "1"
skip-dirs: docs/node_modules
codeql:
name: codeql
runs-on: ubuntu-latest
permissions:
security-events: write
actions: read
contents: read
steps:
- uses: actions/checkout@v6
- name: Set up Go
uses: actions/setup-go@v6
with:
go-version: "1.26.3"
- name: Initialize CodeQL
uses: github/codeql-action/init@v4
with:
languages: go
queries: security-extended
- name: Build
run: go build ./...
- name: Analyze
uses: github/codeql-action/analyze@v4
with:
category: codeql-go