From 62e5dfb9121469109ceff0364e265f0efee97564 Mon Sep 17 00:00:00 2001 From: Samuel Berthe Date: Wed, 25 Mar 2026 23:43:58 +0100 Subject: [PATCH 1/4] chore(ci): add trivy --- .github/workflows/lint.yml | 16 +------- .github/workflows/security.yml | 74 ++++++++++++++++++++++++++++++++++ .golangci.yml | 1 + 3 files changed, 76 insertions(+), 15 deletions(-) create mode 100644 .github/workflows/security.yml diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index dc1927b..e67d594 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -9,7 +9,7 @@ on: - cron: '0 3 * * 1' jobs: - analyze: + lint: name: lint runs-on: ubuntu-latest strategy: @@ -29,20 +29,6 @@ jobs: with: args: --timeout 120s --max-same-issues 50 - - name: Bearer - uses: bearer/bearer-action@v2 - with: - skip-path: 'docs/' - - - name: Initialize CodeQL - uses: github/codeql-action/init@v4 - with: - languages: go - - name: Autobuild - uses: github/codeql-action/autobuild@v4 - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 - # - name: Install mdsf # uses: hougesen/mdsf@main diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml new file mode 100644 index 0000000..bf917fb --- /dev/null +++ b/.github/workflows/security.yml @@ -0,0 +1,74 @@ +name: Security + +on: + push: + branches: + - main + pull_request: + schedule: + - cron: '0 3 * * 1' + workflow_dispatch: # Allow manual trigger + +jobs: + analyze: + name: analyze + runs-on: ubuntu-latest + strategy: + fail-fast: false + + permissions: + contents: read + # required for codeql analysis + security-events: write + + steps: + - uses: actions/checkout@v6 + - uses: actions/setup-go@v6 + with: + go-version: 'stable' + + - name: govulncheck + run: govulncheck ./... + + - name: Bearer + uses: bearer/bearer-action@v2 + with: + skip-path: 'docs/' + + - name: Initialize CodeQL + uses: github/codeql-action/init@v4 + with: + languages: go + - name: Autobuild + uses: github/codeql-action/autobuild@v4 + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v4 + + - name: Run Trivy vulnerability scanner (source code) + uses: aquasecurity/trivy-action@0.35.0 + with: + scan-type: "fs" + scan-ref: "." + scanners: "vuln,secret,misconfig" + format: "sarif" + output: "trivy-results.sarif" + severity: "CRITICAL,HIGH,MEDIUM" + ignore-unfixed: true + + - name: Upload Trivy results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v4 + if: always() + with: + sarif_file: "trivy-results.sarif" + + - name: Run Trivy scanner (table output for logs) + uses: aquasecurity/trivy-action@0.35.0 + if: always() + with: + scan-type: "fs" + scan-ref: "." + scanners: "vuln,secret,misconfig" + format: "table" + severity: "CRITICAL,HIGH,MEDIUM" + ignore-unfixed: true + exit-code: "1" \ No newline at end of file diff --git a/.golangci.yml b/.golangci.yml index 2a71979..04414ad 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -37,6 +37,7 @@ linters: - tparallel - paralleltest - predeclared + - modernize # disable noisy/controversial ones which you might enable later disable: From f3f5bf08e56484ad020f6559c5c0c4d4618497bc Mon Sep 17 00:00:00 2001 From: Samuel Berthe Date: Wed, 25 Mar 2026 23:44:53 +0100 Subject: [PATCH 2/4] oops --- .github/workflows/lint.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index e67d594..dc28dd9 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -7,6 +7,7 @@ on: pull_request: schedule: - cron: '0 3 * * 1' + workflow_dispatch: # Allow manual trigger jobs: lint: From 3e6f7875795782b3dd9dea8aa1e4db5bc2d312c2 Mon Sep 17 00:00:00 2001 From: Samuel Berthe Date: Wed, 25 Mar 2026 23:55:51 +0100 Subject: [PATCH 3/4] chore(ci): add trivy --- .github/workflows/lint.yml | 7 +--- .github/workflows/security.yml | 66 +++++++++++++++++++++++++++------- 2 files changed, 55 insertions(+), 18 deletions(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index dc28dd9..50ac101 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -16,15 +16,10 @@ jobs: strategy: fail-fast: false - permissions: - # required for codeql analysis - security-events: write - steps: - uses: actions/checkout@v6 - uses: actions/setup-go@v6 - with: - go-version: 'stable' + - name: golangci-lint uses: golangci/golangci-lint-action@v9 with: diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index bf917fb..e3f24dd 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -1,4 +1,4 @@ -name: Security +name: Security scan on: push: @@ -9,41 +9,64 @@ on: - cron: '0 3 * * 1' workflow_dispatch: # Allow manual trigger +permissions: + contents: read + # required for codeql analysis + security-events: write + jobs: - analyze: - name: analyze + govulncheck: + name: govulncheck runs-on: ubuntu-latest strategy: fail-fast: false - - permissions: - contents: read - # required for codeql analysis - security-events: write - steps: - uses: actions/checkout@v6 - uses: actions/setup-go@v6 - with: - go-version: 'stable' - name: govulncheck run: govulncheck ./... + bearer: + name: bearer + runs-on: ubuntu-latest + strategy: + fail-fast: false + steps: + - uses: actions/checkout@v6 - name: Bearer uses: bearer/bearer-action@v2 with: skip-path: 'docs/' + codeql: + name: codeql + runs-on: ubuntu-latest + strategy: + fail-fast: false + steps: + - uses: actions/checkout@v6 + - uses: actions/setup-go@v6 + - name: Initialize CodeQL uses: github/codeql-action/init@v4 with: languages: go + - name: Autobuild uses: github/codeql-action/autobuild@v4 - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v4 + trivy-codeql: + name: trivy-codeql + runs-on: ubuntu-latest + strategy: + fail-fast: false + steps: + - uses: actions/checkout@v6 + - uses: actions/setup-go@v6 + - name: Run Trivy vulnerability scanner (source code) uses: aquasecurity/trivy-action@0.35.0 with: @@ -61,6 +84,15 @@ jobs: with: sarif_file: "trivy-results.sarif" + trivy-logs: + name: trivy-logs + runs-on: ubuntu-latest + strategy: + fail-fast: false + steps: + - uses: actions/checkout@v6 + - uses: actions/setup-go@v6 + - name: Run Trivy scanner (table output for logs) uses: aquasecurity/trivy-action@0.35.0 if: always() @@ -71,4 +103,14 @@ jobs: format: "table" severity: "CRITICAL,HIGH,MEDIUM" ignore-unfixed: true - exit-code: "1" \ No newline at end of file + exit-code: "1" + + - name: Run Trivy scanner (license) + uses: aquasecurity/trivy-action@0.35.0 + if: always() + with: + scan-type: fs + scan-ref: . + scanners: license + severity: UNKNOWN,HIGH,CRITICAL + format: table \ No newline at end of file From 080e9b46957fc08b3417fa0eb8c8cd23a26811b0 Mon Sep 17 00:00:00 2001 From: Samuel Berthe Date: Wed, 25 Mar 2026 23:58:09 +0100 Subject: [PATCH 4/4] oops --- .github/workflows/security.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index e3f24dd..c6587c4 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -24,6 +24,9 @@ jobs: - uses: actions/checkout@v6 - uses: actions/setup-go@v6 + - name: Install govulncheck + run: go install golang.org/x/vuln/cmd/govulncheck@latest + - name: govulncheck run: govulncheck ./...