diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index dc1927b..50ac101 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -7,42 +7,24 @@ on: pull_request: schedule: - cron: '0 3 * * 1' + workflow_dispatch: # Allow manual trigger jobs: - analyze: + lint: name: lint runs-on: ubuntu-latest strategy: fail-fast: false - permissions: - # required for codeql analysis - security-events: write - steps: - uses: actions/checkout@v6 - uses: actions/setup-go@v6 - with: - go-version: 'stable' + - name: golangci-lint uses: golangci/golangci-lint-action@v9 with: args: --timeout 120s --max-same-issues 50 - - name: Bearer - uses: bearer/bearer-action@v2 - with: - skip-path: 'docs/' - - - name: Initialize CodeQL - uses: github/codeql-action/init@v4 - with: - languages: go - - name: Autobuild - uses: github/codeql-action/autobuild@v4 - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 - # - name: Install mdsf # uses: hougesen/mdsf@main diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml new file mode 100644 index 0000000..c6587c4 --- /dev/null +++ b/.github/workflows/security.yml @@ -0,0 +1,119 @@ +name: Security scan + +on: + push: + branches: + - main + pull_request: + schedule: + - cron: '0 3 * * 1' + workflow_dispatch: # Allow manual trigger + +permissions: + contents: read + # required for codeql analysis + security-events: write + +jobs: + govulncheck: + name: govulncheck + runs-on: ubuntu-latest + strategy: + fail-fast: false + steps: + - uses: actions/checkout@v6 + - uses: actions/setup-go@v6 + + - name: Install govulncheck + run: go install golang.org/x/vuln/cmd/govulncheck@latest + + - name: govulncheck + run: govulncheck ./... + + bearer: + name: bearer + runs-on: ubuntu-latest + strategy: + fail-fast: false + steps: + - uses: actions/checkout@v6 + - name: Bearer + uses: bearer/bearer-action@v2 + with: + skip-path: 'docs/' + + codeql: + name: codeql + runs-on: ubuntu-latest + strategy: + fail-fast: false + steps: + - uses: actions/checkout@v6 + - uses: actions/setup-go@v6 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v4 + with: + languages: go + + - name: Autobuild + uses: github/codeql-action/autobuild@v4 + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v4 + + trivy-codeql: + name: trivy-codeql + runs-on: ubuntu-latest + strategy: + fail-fast: false + steps: + - uses: actions/checkout@v6 + - uses: actions/setup-go@v6 + + - name: Run Trivy vulnerability scanner (source code) + uses: aquasecurity/trivy-action@0.35.0 + with: + scan-type: "fs" + scan-ref: "." + scanners: "vuln,secret,misconfig" + format: "sarif" + output: "trivy-results.sarif" + severity: "CRITICAL,HIGH,MEDIUM" + ignore-unfixed: true + + - name: Upload Trivy results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v4 + if: always() + with: + sarif_file: "trivy-results.sarif" + + trivy-logs: + name: trivy-logs + runs-on: ubuntu-latest + strategy: + fail-fast: false + steps: + - uses: actions/checkout@v6 + - uses: actions/setup-go@v6 + + - name: Run Trivy scanner (table output for logs) + uses: aquasecurity/trivy-action@0.35.0 + if: always() + with: + scan-type: "fs" + scan-ref: "." + scanners: "vuln,secret,misconfig" + format: "table" + severity: "CRITICAL,HIGH,MEDIUM" + ignore-unfixed: true + exit-code: "1" + + - name: Run Trivy scanner (license) + uses: aquasecurity/trivy-action@0.35.0 + if: always() + with: + scan-type: fs + scan-ref: . + scanners: license + severity: UNKNOWN,HIGH,CRITICAL + format: table \ No newline at end of file diff --git a/.golangci.yml b/.golangci.yml index 2a71979..04414ad 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -37,6 +37,7 @@ linters: - tparallel - paralleltest - predeclared + - modernize # disable noisy/controversial ones which you might enable later disable: