Skip to content
Security

deps: bump github.com/zalando/go-keyring from 0.2.7 to 0.2.8 in the go-dependencies group #62

Sign in to view logs

deps: bump github.com/zalando/go-keyring from 0.2.7 to 0.2.8 in the go-dependencies group

deps: bump github.com/zalando/go-keyring from 0.2.7 to 0.2.8 in the go-dependencies group #62

Workflow file for this run

.github/workflows/security.yml at d442400
name: Security
on:
push:
branches: [main]
pull_request:
branches: [main]
schedule:
- cron: '0 6 * * 1'
workflow_call:
workflow_dispatch:
permissions: {}
jobs:
secrets:
name: Secret scanning
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
persist-credentials: false
- name: Install gitleaks
run: |
curl -sSfL https://github.com/gitleaks/gitleaks/releases/download/v8.21.2/gitleaks_8.21.2_linux_x64.tar.gz | tar -xz
sudo mv gitleaks /usr/local/bin/
- name: Run gitleaks
run: make secrets
trivy:
name: Trivy vulnerability scan
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Run Trivy vulnerability scanner (filesystem)
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
with:
scan-type: 'fs'
scan-ref: '.'
severity: 'HIGH,CRITICAL'
exit-code: '1'
ignore-unfixed: true
format: 'sarif'
output: 'trivy-results.sarif'
version: 'v0.69.3'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
if: always()
continue-on-error: true # Requires GitHub Advanced Security
with:
sarif_file: 'trivy-results.sarif'
gosec:
name: Gosec
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
with:
go-version-file: go.mod
- name: Install gosec
run: go install github.com/securego/gosec/v2/cmd/gosec@v2.23.0
- name: Run gosec
run: gosec -no-fail -fmt sarif -out gosec-results.sarif ./...
- name: Upload gosec scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
if: always()
continue-on-error: true # Requires GitHub Advanced Security
with:
sarif_file: 'gosec-results.sarif'
dependency-review:
name: Dependency review
runs-on: ubuntu-latest
if: github.event_name == 'pull_request'
permissions:
contents: read
pull-requests: read
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0
continue-on-error: true # Requires GitHub Advanced Security
codeql:
name: CodeQL
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
with:
go-version-file: go.mod
- name: Initialize CodeQL
uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
with:
languages: go
build-mode: manual
config-file: ./.github/codeql/codeql-config.yml
- name: Build
env:
CODEQL_EXTRACTOR_GO_BUILD_TRACING: 'on'
run: go build ./...
- name: Perform CodeQL analysis
uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
with:
category: codeql-go
upload: never
output: sarif-results
- name: Upload SARIF to GitHub Security tab
uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
continue-on-error: true # Requires GitHub Advanced Security
with:
sarif_file: sarif-results
category: codeql-go