Skip to content
Security Scanning

Bump github.com/cloudflare/circl from 1.3.7 to 1.6.1 #23

Sign in to view logs

Bump github.com/cloudflare/circl from 1.3.7 to 1.6.1

Bump github.com/cloudflare/circl from 1.3.7 to 1.6.1 #23

Workflow file for this run

.github/workflows/security-scanning.yml at 785302a
name: Security Scanning
on:
schedule:
# Run security scans daily at 2 AM UTC
- cron: '0 2 * * *'
push:
branches: [ master, main ]
pull_request:
branches: [ master, main ]
workflow_dispatch:
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
env:
GO_VERSION: '1.24'
jobs:
secrets-scan:
name: Secrets Scanning
runs-on: ubuntu-latest
permissions:
security-events: write
contents: read
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Run TruffleHog OSS
uses: trufflesecurity/trufflehog@main
with:
path: ./
extra_args: --debug --only-verified
dependency-scan:
name: Dependency Vulnerability Scan
runs-on: ubuntu-latest
permissions:
security-events: write
contents: read
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Go ${{ env.GO_VERSION }}
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
cache: true
- name: Install Govulncheck
run: |
go install golang.org/x/vuln/cmd/govulncheck@latest
echo "$HOME/go/bin" >> $GITHUB_PATH
- name: Run dependency vulnerability scan
run: |
# Use govulncheck for dependency scanning
govulncheck ./... || echo "Vulnerabilities found - check output above"
- name: Run Govulncheck with JSON output
run: |
govulncheck -json ./... > vulnerability-report.json || true
- name: Process vulnerability results
run: |
if [ -s vulnerability-report.json ]; then
echo "Vulnerability scan completed. Results saved to vulnerability-report.json"
# Extract high-severity vulnerabilities
if command -v jq >/dev/null 2>&1; then
jq '.Vulns[]? | select(.OSV.database_specific.severity == "HIGH" or .OSV.database_specific.severity == "CRITICAL")' vulnerability-report.json > high-severity-vulns.json || true
if [ -s high-severity-vulns.json ]; then
echo "⚠️ High/Critical severity vulnerabilities found!"
cat high-severity-vulns.json
exit 1
fi
fi
fi
- name: Upload vulnerability report
uses: actions/upload-artifact@v4
if: always()
with:
name: vulnerability-report-${{ github.sha }}
path: |
vulnerability-report.json
high-severity-vulns.json
retention-days: 30
license-scan:
name: License Compliance Scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Go ${{ env.GO_VERSION }}
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
cache: true
- name: Install go-licenses
run: |
go install github.com/google/go-licenses@latest
echo "$HOME/go/bin" >> $GITHUB_PATH
- name: Check licenses
run: |
go-licenses check ./...
- name: Generate license report
run: |
go-licenses csv ./... > licenses.csv
- name: Upload license report
uses: actions/upload-artifact@v4
with:
name: license-report-${{ github.sha }}
path: licenses.csv
retention-days: 30
container-scan:
name: Container Security Scan
runs-on: ubuntu-latest
if: github.event_name == 'push' || github.event_name == 'schedule'
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Go ${{ env.GO_VERSION }}
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
cache: true
- name: Build binary
run: |
CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o terraform-provider-extip .
- name: Create minimal Dockerfile
run: |
cat > Dockerfile << 'EOF'
FROM scratch
COPY terraform-provider-extip /terraform-provider-extip
ENTRYPOINT ["/terraform-provider-extip"]
EOF
- name: Build container image
run: |
docker build -t terraform-provider-extip:${{ github.sha }} .
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'terraform-provider-extip:${{ github.sha }}'
format: 'sarif'
output: 'trivy-results.sarif'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: 'trivy-results.sarif'