lo/.github/workflows/security.yml at dcffb031cd93aa2642b5416009099bb32e524234 · samber/lo · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
name: Security scan

on:
  push:
    branches:
      - maser
  pull_request:
  schedule:
    - cron: '0 3 * * 1'
  workflow_dispatch: # Allow manual trigger

permissions:
  contents: read
  # required for codeql analysis
  security-events: write

jobs:
  # govulncheck:
  #   name: govulncheck
  #   runs-on: ubuntu-latest
  #   strategy:
  #     fail-fast: false
  #   steps:
  #     - uses: actions/checkout@v6
  #     - uses: actions/setup-go@v6
  #       with:
  #         go-version-file: go.mod

  #     - name: Install govulncheck
  #       run: go install golang.org/x/vuln/cmd/govulncheck@latest

  #     - name: govulncheck
  #       run: govulncheck ./...

  bearer:
    name: bearer
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
    steps:
      - uses: actions/checkout@v6
      - name: Bearer
        uses: bearer/bearer-action@v2
        with:
          skip-path: 'docs/'

  codeql:
    name: codeql
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
    steps:
      - uses: actions/checkout@v6
      - uses: actions/setup-go@v6
        with:
          go-version-file: go.mod

      - name: Initialize CodeQL
        uses: github/codeql-action/init@v4
        with:
          languages: go

      - name: Autobuild
        uses: github/codeql-action/autobuild@v4
      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v4

  trivy-codeql:
    name: trivy-codeql
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
    steps:
      - uses: actions/checkout@v6
      - uses: actions/setup-go@v6
        with:
          go-version-file: go.mod

      - name: Run Trivy vulnerability scanner (source code)
        uses: aquasecurity/trivy-action@0.35.0
        with:
          scan-type: "fs"
          scan-ref: "."
          scanners: "vuln,secret,misconfig"
          format: "sarif"
          output: "trivy-results.sarif"
          severity: "CRITICAL,HIGH,MEDIUM"
          ignore-unfixed: true
          trivyignores: ".trivyignore"
          skip-dirs: "docs/"

      - name: Upload Trivy results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v4
        if: always()
        with:
          sarif_file: "trivy-results.sarif"

  trivy-logs:
    name: trivy-logs
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
    steps:
      - uses: actions/checkout@v6
      - uses: actions/setup-go@v6
        with:
          go-version-file: go.mod

      - name: Run Trivy scanner (table output for logs)
        uses: aquasecurity/trivy-action@0.35.0
        if: always()
        with:
          scan-type: "fs"
          scan-ref: "."
          scanners: "vuln,secret,misconfig"
          format: "table"
          severity: "CRITICAL,HIGH,MEDIUM"
          ignore-unfixed: true
          trivyignores: ".trivyignore"
          exit-code: "1"
          skip-dirs: "docs/"

      - name: Run Trivy scanner (license)
        uses: aquasecurity/trivy-action@0.35.0
        if: always()
        with:
          scan-type: fs
          scan-ref: .
          scanners: license
          severity: UNKNOWN,HIGH,CRITICAL
          format: table
          skip-dirs: "docs/"