Skip to content

Vulnerability Check #177

Vulnerability Check

Vulnerability Check #177

Workflow file for this run

# Copyright the version-bump contributors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: Vulnerability Check
on:
schedule:
- cron: '0 06 * * 0' # 6am UTC on Sundays
workflow_dispatch:
permissions:
contents: read
jobs:
vulnerability-scans:
name: Run vulnerability scans
runs-on: ubuntu-latest
env:
RELEASE_GO_VER: "1.26"
steps:
- name: Check out code
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- name: "Set up Go"
uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0
with:
go-version: "${{ env.RELEASE_GO_VER }}"
check-latest: true
# intentionally not pinned to always run the latest scanner
- name: "Install govulncheck"
run: |
go install golang.org/x/vuln/cmd/govulncheck@latest
- name: "Run govulncheck"
run: |
govulncheck ./...
# intentionally not pinned to always run the latest scanner
- name: "Install OSV Scanner"
run: |
go install github.com/google/osv-scanner/cmd/osv-scanner@latest
- name: "Run OSV Scanner"
run: |
osv-scanner scan --config .osv-scanner.toml -r --experimental-licenses="Apache-2.0,BSD-2-Clause,BSD-3-Clause,CC-BY-SA-4.0,ISC,MIT,MPL-2.0,UNKNOWN" .