[CI/CD] Add govulncheck to CI (#1416)

sean-breen · Akshay2191 · commit b518fdbdba9c · 2025-12-18T22:09:59.000Z
* [skip ci] add govulncheck workflow

* add vulncheck workflow, call from CI.yml, and allow dispatch

* add nightly-scans.yml workflow

* checkout

* checkout via ref name

* fix calling workflow

* fix startup failure

* Add missing permission for security_events

* add check for go version in go.mod

* fix setting of output from go version step

* use toolchain version

* remove go version input ot reusable workflow, no longer needed

* remove input field
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -82,6 +82,14 @@ jobs:
         with:
           version: v2.4.0
 
+  vulnerability-scan:
+    name: Vulnerability Scan
+    uses: ./.github/workflows/vulncheck.yml
+    permissions:
+      security-events: write
+    with:
+      target-branch: ${{ github.event.pull_request.base.ref || github.ref_name }}
+
   unit-test:
     name: Unit Tests
     runs-on: ubuntu-22.04
diff --git a/.github/workflows/nightly-scans.yml b/.github/workflows/nightly-scans.yml
@@ -0,0 +1,18 @@
+name: nightly-scans.yml
+on:
+  schedule:
+    - cron: '0 2 * * *'  # Runs daily at 2:00 AM UTC
+  workflow_dispatch:
+
+jobs:
+  scan-main:
+    name: Vulnerability Scan - Main
+    uses: ./.github/workflows/vulncheck.yml
+    with:
+      target-branch: 'main'
+
+  scan-v2:
+    name: Vulnerability Scan - dev-v2
+    uses: ./.github/workflows/vulncheck.yml
+    with:
+      target-branch: 'dev-v2'
diff --git a/.github/workflows/vulncheck.yml b/.github/workflows/vulncheck.yml
@@ -0,0 +1,42 @@
+name: vulncheck.yaml
+on:
+  workflow_call:
+    inputs:
+      target-branch:
+        description: 'Target branch to run govulncheck against'
+        type: string
+        required: false
+        default: 'main'
+  workflow_dispatch:
+    inputs:
+      target-branch:
+        description: 'Target branch to run govulncheck against'
+        required: false
+        default: 'main'
+
+jobs:
+  vulncheck:
+    name: Vulnerability Check
+    runs-on: ubuntu-22.04
+    permissions:
+      security-events: write # for reporting vulnerabilities via code-scanning API
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        with:
+            fetch-depth: 0
+            ref: ${{ inputs.targetBranch || 'main' }}
+
+      - name: Check Go version
+        id: get-go-version
+        run: |
+          echo "Reading from go.mod"
+          GO_VERSION=$(grep -E "^toolchain " go.mod | awk -F' ' '{print $2}' | tr -d 'go')
+          echo "Found $GO_VERSION"
+          echo "go-version="$GO_VERSION"" >> $GITHUB_OUTPUT      
+
+      - name: Run govulncheck
+        id: govulncheck
+        uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee # v1.0.4
+        with:
+          go-version-input: ${{ steps.get-go-version.outputs.go-version }}
