Gosec #526
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Gosec | |
| on: | |
| workflow_dispatch: | |
| schedule: | |
| # # This is meant to run every day at 8am | |
| - cron: '0 8 * * 1-5' | |
| permissions: | |
| contents: read | |
| jobs: | |
| gosec: | |
| runs-on: ubuntu-latest | |
| env: | |
| GO111MODULE: on | |
| outputs: | |
| gosec-status: ${{ steps.gosec-run.outcome }} | |
| steps: | |
| - name: Checkout Source | |
| uses: actions/checkout@v5 | |
| - name: Run Gosec | |
| id: gosec-run | |
| continue-on-error: true | |
| uses: securego/gosec@master # zizmor: ignore[unpinned-uses] | |
| env: | |
| # gosec runs in its own container with a bundled Go and | |
| # GOTOOLCHAIN=local; allow it to fetch the toolchain go.mod | |
| # requires, otherwise it loads 0 packages and scans nothing. | |
| GOTOOLCHAIN: auto | |
| with: | |
| args: '-exclude=G104,G115,G304,G406,G507 -exclude-dir=builtin/gen ./...' | |
| notify-slack: | |
| name: Notify Slack | |
| needs: | |
| - gosec | |
| if: always() && needs.gosec.outputs.gosec-status == 'failure' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v5 | |
| - name: Notify Slack | |
| uses: slackapi/slack-github-action@6c661ce58804a1a20f6dc5fbee7f0381b469e001 # v1.25.0 | |
| env: | |
| SLACK_WEBHOOK_URL: ${{ secrets.GOSEC_SLACK_WEBHOOK }} | |
| with: | |
| payload: | | |
| { | |
| "commit-url": "${{ github.event.head_commit.url }}", | |
| "branch": "${{ github.ref }}", | |
| "repository": "${{ github.repository }}" | |
| } |