Skip to content
Security

feat: add RPM/DEB package builds for amd64, arm64 #230

Sign in to view logs

feat: add RPM/DEB package builds for amd64, arm64

feat: add RPM/DEB package builds for amd64, arm64 #230

Workflow file for this run

.github/workflows/security.yml at 3094642
name: Security
on:
push:
branches: [ main, develop ]
pull_request:
branches: [ main ]
schedule:
# Run security scan every Monday at 6 AM UTC
- cron: '0 6 * * 1'
workflow_dispatch:
permissions:
contents: read
security-events: write
jobs:
govulncheck:
name: Go Vulnerability Check
runs-on: ubuntu-latest
continue-on-error: true # Don't fail on SARIF upload issues
steps:
- name: Check out code
uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version-file: 'go.mod'
cache: true
- name: Install govulncheck
run: go install golang.org/x/vuln/cmd/govulncheck@latest
- name: Run govulncheck
run: |
govulncheck -format sarif ./... > govulncheck.sarif
- name: Upload SARIF report
uses: github/codeql-action/upload-sarif@v4
if: always() && github.event_name != 'pull_request'
continue-on-error: true
with:
sarif_file: govulncheck.sarif
category: govulncheck
gosec:
name: Security Scan
runs-on: ubuntu-latest
continue-on-error: true # Don't fail on SARIF upload issues
steps:
- name: Check out code
uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version-file: 'go.mod'
cache: true
- name: Run Gosec Security Scanner
uses: securego/gosec@v2.23.0
with:
args: '-no-fail -fmt sarif -out gosec.sarif ./...'
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v4
if: always() && github.event_name != 'pull_request'
continue-on-error: true
with:
sarif_file: gosec.sarif
category: gosec
nancy:
name: Dependency Security Scan
runs-on: ubuntu-latest
# Skip for fork PRs as secrets are not available
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
continue-on-error: true # Don't fail if nancy has issues
steps:
- name: Check out code
uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version-file: 'go.mod'
cache: true
- name: Install Nancy
run: go install github.com/sonatype-nexus-community/nancy@latest
- name: Download dependencies
run: go mod download
- name: Run Nancy
env:
OSSI_TOKEN: ${{ secrets.SONATATYPE_OSSI_TOKEN }}
OSSI_USERNAME: ${{ vars.SONATATYPE_OSSI_USERNAME }}
run: |
# Skip if credentials are not available (e.g., fork PRs)
if [ -z "$OSSI_TOKEN" ] || [ -z "$OSSI_USERNAME" ]; then
echo "⚠️ OSSI credentials not available, skipping Nancy scan"
echo "This is expected for fork PRs where secrets are not accessible"
exit 0
fi
go list -json -deps ./... | nancy sleuth --token "$OSSI_TOKEN" --username "$OSSI_USERNAME"
secret-scan:
name: Secret Scanning
runs-on: ubuntu-latest
# Skip on push events where before/after are the same (initial commit, force push to same SHA)
if: github.event_name != 'push' || github.event.before != github.event.after
continue-on-error: true # Don't fail on scanning issues
steps:
- name: Check out code
uses: actions/checkout@v4
with:
fetch-depth: 0 # Fetch full history for proper diff
- name: Run Trufflehog
uses: trufflesecurity/trufflehog@main
with:
path: ./
base: ${{ github.event_name == 'pull_request' && github.event.pull_request.base.sha || github.event.before }}
head: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
extra_args: --only-verified