Security Scan #63

Workflow file for this run

.github/workflows/security.yml at f03d190

	name: Security Scan

	on:
	push:
	branches: [main, develop]
	pull_request:
	branches: [main, develop]
	schedule:
	# Run security scan daily at 2 AM UTC
	- cron: "0 2 * * *"
	workflow_dispatch:
	# Allow manual trigger

	jobs:
	security:
	name: Security Vulnerability Scan
	runs-on: ubuntu-latest

	steps:
	- name: Checkout code
	uses: actions/checkout@v4

	- name: Set up Go
	uses: actions/setup-go@v5
	with:
	go-version-file: go.mod
	check-latest: true

	- name: Run govulncheck
	uses: golang/govulncheck-action@v1
	with:
	go-version-file: go.mod
	go-package: ./...
	cache: true

	- name: Run security scan with JSON output
	run: \|
	echo "Running govulncheck with JSON output for detailed analysis..."
	go install golang.org/x/vuln/cmd/govulncheck@latest
	govulncheck -json ./... > security-report.json

	- name: Upload security report
	uses: actions/upload-artifact@v4
	if: always()
	with:
	name: security-report
	path: security-report.json
	retention-days: 30

	security-scanning:
	name: CodeQL Security Analysis
	runs-on: ubuntu-latest
	permissions:
	actions: read
	contents: read
	security-events: write

	steps:
	- name: Checkout repository
	uses: actions/checkout@v4

	- name: Set up Go
	uses: actions/setup-go@v5
	with:
	go-version-file: go.mod
	check-latest: true

	- name: Initialize CodeQL
	uses: github/codeql-action/init@v3
	with:
	languages: go
	queries: security-and-quality

	- name: Build project
	run: \|
	go mod download
	go build -v ./...

	- name: Perform CodeQL Analysis
	uses: github/codeql-action/analyze@v3
	with:
	category: "/language:go"
	upload: true

	dependency-review:
	name: Dependency Review
	runs-on: ubuntu-latest
	# Only run on pull requests
	if: github.event_name == 'pull_request'
	steps:
	- name: Checkout Repository
	uses: actions/checkout@v4

	- name: Dependency Review
	uses: actions/dependency-review-action@v4
	with:
	fail-on-severity: moderate
	allow-licenses: MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC

	trivy-scan:
	name: Trivy Vulnerability Scan
	runs-on: ubuntu-latest
	permissions:
	actions: read
	contents: read
	security-events: write

	steps:
	- name: Checkout code
	uses: actions/checkout@v4

	- name: Set up Go
	uses: actions/setup-go@v5
	with:
	go-version-file: go.mod
	check-latest: true

	- name: Run Trivy vulnerability scanner
	continue-on-error: true
	uses: aquasecurity/trivy-action@0.20.0
	with:
	scan-type: "fs"
	scan-ref: "."
	format: "sarif"
	output: "trivy-results.sarif"
	severity: "CRITICAL,HIGH,MEDIUM"
	scanners: "vuln,secret,config"

	- name: Check if SARIF file exists
	id: check_sarif
	run: \|
	if [ -f "trivy-results.sarif" ]; then
	echo "sarif_exists=true" >> $GITHUB_OUTPUT
	else
	echo "sarif_exists=false" >> $GITHUB_OUTPUT
	fi

	- name: Upload Trivy scan results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@v3
	if: always() && steps.check_sarif.outputs.sarif_exists == 'true'
	with:
	sarif_file: "trivy-results.sarif"

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Security Scan #63

Workflow file

Security Scan #63

Uh oh!

Workflow file for this run