Skip to content
🔒 Security Analysis

chore(deps)(deps): bump actions/upload-artifact from 4 to 7 (#200) #770

Sign in to view logs

chore(deps)(deps): bump actions/upload-artifact from 4 to 7 (#200)

chore(deps)(deps): bump actions/upload-artifact from 4 to 7 (#200) #770

Workflow file for this run

.github/workflows/security.yml at 8dbe0b6
name: 🔒 Security Analysis
on:
push:
branches: ["main"]
pull_request:
branches: ["main"]
schedule:
# Run security scan every day at 6:00 AM UTC
- cron: "0 6 * * *"
workflow_dispatch:
permissions:
actions: read
contents: read
security-events: write
issues: write
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
env:
GO_VERSION: "1.26.1"
jobs:
# ===================================
# Static Analysis Security Testing
# ===================================
sast:
name: 🔍 Static Analysis
uses: ./.github/workflows/_reusable-security-scan.yml
with:
go-version: "1.26.1"
upload-sarif: true
run-vulncheck: false
# ===================================
# Vulnerability Scanning
# ===================================
vulnerability-scan:
name: 🛡️ Vulnerability Scan
uses: ./.github/workflows/_reusable-security-scan.yml
with:
go-version: "1.26.1"
upload-sarif: false
run-vulncheck: true
# ===================================
# License Compliance Check
# ===================================
license-check:
name: 📜 License Compliance
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- name: 📂 Checkout code
uses: actions/checkout@v6
with:
fetch-depth: 0
- name: 🐹 Set up Go
uses: actions/setup-go@v6
with:
go-version: ${{ env.GO_VERSION }}
cache: true
- name: 📥 Download dependencies
run: go mod download
- name: 📜 Install go-licenses
run: go install github.com/google/go-licenses@latest
- name: 🔍 Check license compliance
id: license-check
run: |
echo "🔍 Checking license compliance..."
# Create licenses directory
mkdir -p licenses
# Generate license report
{
echo "## 📜 License Compliance Report"
echo ""
echo "**Generated:** $(date -u '+%Y-%m-%d %H:%M:%S UTC')"
echo ""
} > licenses/report.md
# Check for forbidden licenses (variable defined for future use)
# FORBIDDEN_LICENSES="GPL-2.0,GPL-3.0,AGPL-1.0,AGPL-3.0"
if go-licenses check ./...; then
echo "result=compliant" >> "$GITHUB_OUTPUT"
{
echo "### ✅ License Compliance"
echo "All dependencies use compatible licenses."
} >> licenses/report.md
else
echo "result=issues_found" >> "$GITHUB_OUTPUT"
{
echo "### ⚠️ License Issues Found"
echo "Some dependencies may have licensing issues. Review required."
} >> licenses/report.md
fi
{
echo ""
echo "### 📋 Dependency Licenses"
echo ""
} >> licenses/report.md
# List all licenses
go-licenses report ./... >> licenses/report.md 2>/dev/null || echo "Unable to generate detailed license report" >> licenses/report.md
- name: 📤 Upload license compliance results
uses: actions/upload-artifact@v7
with:
name: license-compliance-results
path: licenses/
retention-days: 30
# ===================================
# Secrets Detection
# ===================================
secrets-detection:
name: 🔐 Secrets Detection
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- name: 📂 Checkout code
uses: actions/checkout@v6
with:
fetch-depth: 0
- name: 🔐 Run TruffleHog secrets detection
uses: trufflesecurity/trufflehog@main
with:
base: main
path: ./
extra_args: --results=verified,unknown
# ===================================
# Container Security Scanning
# ===================================
container-security:
name: 🐳 Container Security
runs-on: ubuntu-latest
timeout-minutes: 20
if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
strategy:
matrix:
os: [alpine, ubuntu-jammy]
steps:
- name: 📂 Checkout code
uses: actions/checkout@v6
with:
fetch-depth: 0
- name: 🐳 Set up Docker Buildx
uses: docker/setup-buildx-action@v4
- name: 🔨 Build container image
uses: docker/build-push-action@v7
with:
context: .
file: build/deploy/${{ matrix.os }}/Dockerfile
tags: yap-${{ matrix.os }}:security-scan
load: true
cache-from: type=gha
cache-to: type=gha,mode=max
# ===================================
# Security Summary Report
# ===================================
security-summary:
name: 📊 Security Summary
runs-on: ubuntu-latest
timeout-minutes: 5
needs: [sast, vulnerability-scan, license-check, secrets-detection]
if: always()
steps:
- name: 📥 Download security artifacts
uses: actions/download-artifact@v8
with:
pattern: "*-results"
merge-multiple: true
- name: 📝 Generate security summary
run: |
{
echo "## 🔒 Security Analysis Summary"
echo ""
echo "**Analysis Date:** $(date -u '+%Y-%m-%d %H:%M:%S UTC')"
echo "**Trigger:** ${{ github.event_name }}"
echo ""
echo "### 📋 Security Checks"
echo "| Check | Status | Details |"
echo "|-------|--------|---------|"
echo "| 🔍 Static Analysis | ${{ needs.sast.result }} | Gosec security scanner |"
echo "| 🛡️ Vulnerability Scan | ${{ needs.vulnerability-scan.result }} | Go vulnerability database |"
echo "| 📜 License Compliance | ${{ needs.license-check.result }} | Dependency license check |"
echo "| 🔐 Secrets Detection | ${{ needs.secrets-detection.result }} | TruffleHog scan |"
echo ""
} >> "$GITHUB_STEP_SUMMARY"
# Overall security status
if [[ "${{ needs.sast.result }}" == "success" && \
"${{ needs.vulnerability-scan.result }}" == "success" && \
"${{ needs.license-check.result }}" == "success" && \
"${{ needs.secrets-detection.result }}" == "success" ]]; then
{
echo "### ✅ Overall Security Status: PASS"
echo "All security checks completed successfully."
} >> "$GITHUB_STEP_SUMMARY"
else
{
echo "### ⚠️ Overall Security Status: REVIEW REQUIRED"
echo "Some security checks require attention. Please review the failed checks above."
} >> "$GITHUB_STEP_SUMMARY"
fi
{
echo ""
echo "### 🔗 Security Resources"
echo "- [Security Policy](https://github.com/${{ github.repository }}/security/policy)"
echo "- [Security Advisories](https://github.com/${{ github.repository }}/security/advisories)"
echo "- [Dependency Graph](https://github.com/${{ github.repository }}/network/dependencies)"
echo "- [Go Vulnerability Database](https://vuln.go.dev/)"
} >> "$GITHUB_STEP_SUMMARY"