Security #28

Workflow file for this run

.github/workflows/security.yml at 8e7322a

	# Security scanning workflow
	name: Security

	on:
	push:
	branches:
	- main
	pull_request:
	branches:
	- main
	schedule:
	# Run weekly on Monday at 00:00 UTC
	- cron: "0 0 * * 1"

	permissions:
	contents: read
	security-events: write

	jobs:
	# Dependency vulnerability scanning
	govulncheck:
	name: Go Vulnerability Check
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
	- uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
	with:
	go-version-file: 'go.mod'
	cache: true
	- name: Install govulncheck
	run: go install golang.org/x/vuln/cmd/govulncheck@latest
	- name: Run govulncheck
	run: govulncheck ./...

	# Static analysis with gosec
	gosec:
	name: Security Scan (gosec)
	permissions:
	security-events: write
	actions: read
	contents: read
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
	- uses: securego/gosec@6be2b51fd78feca86af91f5186b7964d76cb1256 # v2.22.10
	with:
	# we let the report trigger content trigger a failure using the GitHub Security features.
	args: '-no-fail -fmt sarif -out results.sarif ./...'
	- name: Upload SARIF file
	uses: github/codeql-action/upload-sarif@ce729e4d353d580e6cacd6a8cf2921b72e5e310a # v2.23.6
	with:
	# Path to SARIF file relative to the root of the repository
	sarif_file: results.sarif

	# Dependency review for PRs
	dependency-review:
	name: Dependency Review
	runs-on: ubuntu-latest
	if: github.event_name == 'pull_request'
	steps:
	- uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
	- uses: actions/dependency-review-action@3c4e3dcb1aa7874d2c16be7d79418e9b7efd6261 # v4.8.2
	with:
	fail-on-severity: high

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Security #28

Workflow file

Security #28

Uh oh!

Jobs

Run details

Workflow file for this run