ci-workflows/.github/workflows/scanner.yml at f78e672df236ae7c3fb41b488f19db51d6c50b3f · go-openapi/ci-workflows · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
name: Vulnerability scans

on:
  workflow_call:

  workflow_dispatch:

permissions:
  contents: read

# description: |
#   A fast vulnerability scan on the repo that effectively supplements ossf scorecard and codesql
#   and may run every day.
#
#   * trivy reports are often more easily actionable than codeql reports.
#   * govumnscan supplements this analysis with a more go-specific approach
#
# NOTE: at this moment, we don't want to adopt snyk, which requires a token, provides an extra dashboard etc.
# Most likely, snyk would be redundant with trivy.

jobs:
  analysis:
    name: Vulnerability scan
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write
    steps:
      -
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
      -
        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version: stable
          check-latest: true
          cache: true
      -
        name: Vulnerability scan by trivy
        uses: aquasecurity/trivy-action@e368e328979b113139d6f9068e03accaed98a518 # v0.34.1
        with:
          scan-type: repo
          format: sarif
          hide-progress: false
          output: trivy-code-report.sarif
          scanners: vuln,secret
          version: v0.68.1
          exit-code: 0
      -
        name: Upload trivy findings to code scanning dashboard
        uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
        with:
          category: trivy
          sarif_file: trivy-code-report.sarif

  govulnscan:
    name: go vulnerability scan
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write
    steps:
      -
        id: govulncheck
        uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee # v1.0.4
        with:
          output-format: sarif
          output-file: govulnscan-report.sarif
      -
        name: Upload govulnscan findings to code scanning dashboard
        uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
        with:
          category: govulnscan
          sarif_file: govulnscan-report.sarif