test: unit-test-reformat.go #4347
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Go Security CI | |
| on: | |
| push: | |
| branches: | |
| - "master" | |
| paths: | |
| - '**/*.go' | |
| - '**/*.java' | |
| - '**/go.mod' | |
| pull_request: | |
| branches: | |
| - "*" | |
| paths: | |
| - '**/*.go' | |
| - '**/*.java' | |
| - '**/go.mod' | |
| workflow_dispatch: | |
| inputs: | |
| logLevel: | |
| description: "Log level" | |
| required: true | |
| default: "warning" | |
| jobs: | |
| govulncheck: | |
| name: govulncheck | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - uses: actions/setup-go@v4 | |
| with: | |
| go-version-file: "go.mod" | |
| - name: Install govulncheck | |
| run: go install golang.org/x/vuln/cmd/govulncheck@latest | |
| - name: Run vulnerability checks | |
| run: | | |
| govulncheck ./... >/tmp/govuln.txt 2>&1 || VULN_EXIT=$? | |
| VULN_EXIT=${VULN_EXIT:-0} | |
| cat /tmp/govuln.txt | |
| if [ "$VULN_EXIT" -ne 3 ]; then | |
| exit "$VULN_EXIT" | |
| fi | |
| # Repo root is the job working directory; do not use ../.govulnignore | |
| IGNORED=$(grep -vE '^\s*(#|$)' .govulnignore 2>/dev/null | grep -oE 'GO-[0-9]+-[0-9]+' | sort -u | paste -s -d '|' -) | |
| FOUND=$(grep -oE 'GO-[0-9]+-[0-9]+' /tmp/govuln.txt | sort -u) | |
| UNKNOWN="$FOUND" | |
| if [ -n "$IGNORED" ]; then | |
| UNKNOWN=$(echo "$UNKNOWN" | grep -vE "$IGNORED" || true) | |
| fi | |
| if [ -n "$UNKNOWN" ]; then | |
| echo "Unsuppressed vulnerabilities found: $UNKNOWN" | |
| exit 1 | |
| fi | |
| echo -e "\033[0;32m✅ govulncheck: all findings suppressed via .govulnignore\033[0m" | |
| gosec: | |
| name: GoSec Security Scanner | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - uses: actions/setup-go@v4 | |
| with: | |
| go-version-file: "go.mod" | |
| - name: install gosec | |
| run: curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v2.22.11 | |
| - name: Run Gosec Security Scanner | |
| run: $(go env GOPATH)/bin/gosec -exclude=G115 -severity=high -confidence=medium ./... | |
| trivy-go: | |
| name: trivy-go | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 5 | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| - name: Run Trivy Go vulnerability scanner in repo mode | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| skip-dirs: './destination/iceberg/olake-iceberg-java-writer' | |
| exit-code: '1' | |
| scan-type: 'fs' | |
| scan-ref: './' | |
| scanners: 'vuln' | |
| severity: 'HIGH,CRITICAL' | |
| ignore-unfixed: true | |
| # TODO: Add Java Dependency Trivy (removed because trivy getting stuck or run for hours) | |
| # trivy-java: | |
| # name: trivy-java | |
| # runs-on: ubuntu-latest | |
| # timeout-minutes: 10 | |
| # steps: | |
| # - name: Checkout code | |
| # uses: actions/checkout@v3 | |
| # - name: Run Trivy Java vulnerability scanner in repo mode | |
| # uses: aquasecurity/trivy-action@master | |
| # with: | |
| # exit-code: '1' | |
| # scan-type: 'fs' | |
| # scan-ref: './destination/iceberg/olake-iceberg-java-writer' | |
| # scanners: 'vuln' | |
| # severity: 'HIGH,CRITICAL' |