chore(ci): add trivy (#251)

* chore(ci): add trivy

* oops

* chore(ci): add trivy

* oops

Author: samber

.github/workflows/lint.yml

@@ -7,42 +7,24 @@ on:
   pull_request:
   schedule:
     - cron: '0 3 * * 1'
+  workflow_dispatch: # Allow manual trigger
 
 jobs:
-  analyze:
+  lint:
     name: lint
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
 
-    permissions:
-      # required for codeql analysis
-      security-events: write
-
     steps:
       - uses: actions/checkout@v6
       - uses: actions/setup-go@v6
-        with:
-          go-version: 'stable'
+
       - name: golangci-lint
         uses: golangci/golangci-lint-action@v9
         with:
           args: --timeout 120s --max-same-issues 50
 
-      - name: Bearer
-        uses: bearer/bearer-action@v2
-        with:
-          skip-path: 'docs/'
-
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v4
-        with:
-          languages: go
-      - name: Autobuild
-        uses: github/codeql-action/autobuild@v4
-      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v4
-
       # - name: Install mdsf
       #   uses: hougesen/mdsf@main
 

.github/workflows/security.yml

@@ -0,0 +1,119 @@
+name: Security scan
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+  schedule:
+    - cron: '0 3 * * 1'
+  workflow_dispatch: # Allow manual trigger
+
+permissions:
+  contents: read
+  # required for codeql analysis
+  security-events: write
+
+jobs:
+  govulncheck:
+    name: govulncheck
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+    steps:
+      - uses: actions/checkout@v6
+      - uses: actions/setup-go@v6
+
+      - name: Install govulncheck
+        run: go install golang.org/x/vuln/cmd/govulncheck@latest
+
+      - name: govulncheck
+        run: govulncheck ./...
+
+  bearer:
+    name: bearer
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+    steps:
+      - uses: actions/checkout@v6
+      - name: Bearer
+        uses: bearer/bearer-action@v2
+        with:
+          skip-path: 'docs/'
+
+  codeql:
+    name: codeql
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+    steps:
+      - uses: actions/checkout@v6
+      - uses: actions/setup-go@v6
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v4
+        with:
+          languages: go
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v4
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v4
+
+  trivy-codeql:
+    name: trivy-codeql
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+    steps:
+      - uses: actions/checkout@v6
+      - uses: actions/setup-go@v6
+
+      - name: Run Trivy vulnerability scanner (source code)
+        uses: aquasecurity/trivy-action@0.35.0
+        with:
+          scan-type: "fs"
+          scan-ref: "."
+          scanners: "vuln,secret,misconfig"
+          format: "sarif"
+          output: "trivy-results.sarif"
+          severity: "CRITICAL,HIGH,MEDIUM"
+          ignore-unfixed: true
+
+      - name: Upload Trivy results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v4
+        if: always()
+        with:
+          sarif_file: "trivy-results.sarif"
+
+  trivy-logs:
+    name: trivy-logs
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+    steps:
+      - uses: actions/checkout@v6
+      - uses: actions/setup-go@v6
+
+      - name: Run Trivy scanner (table output for logs)
+        uses: aquasecurity/trivy-action@0.35.0
+        if: always()
+        with:
+          scan-type: "fs"
+          scan-ref: "."
+          scanners: "vuln,secret,misconfig"
+          format: "table"
+          severity: "CRITICAL,HIGH,MEDIUM"
+          ignore-unfixed: true
+          exit-code: "1"
+
+      - name: Run Trivy scanner (license)
+        uses: aquasecurity/trivy-action@0.35.0
+        if: always()
+        with:
+          scan-type: fs
+          scan-ref: .
+          scanners: license
+          severity: UNKNOWN,HIGH,CRITICAL
+          format: table

.golangci.yml

@@ -37,6 +37,7 @@ linters:
     - tparallel
     - paralleltest
     - predeclared
+    - modernize
 
   # disable noisy/controversial ones which you might enable later
   disable: