Determine known CVEs through govulncheck
#7
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Determine known CVEs through `govulncheck` | |
| on: | |
| push: | |
| branches: | |
| - main | |
| schedule: | |
| # Mondays at 0000 | |
| - cron: "0 0 * * 1" | |
| jobs: | |
| check-for-vulnerabilities: | |
| name: Check for vulnerabilities using `govulncheck` | |
| runs-on: ubuntu-latest | |
| permissions: | |
| security-events: write | |
| contents: read | |
| steps: | |
| - uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee # v1.0.4 | |
| with: | |
| go-package: ./... | |
| # NOTE that we want to produce the SARIF-formatted report, which can then be consumed by other tools ... | |
| output-format: sarif | |
| output-file: govulncheck.sarif | |
| # ... such as the Code Scanning tab (https://github.com/oapi-codegen/runtime/security/code-scanning?query=is%3Aopen+branch%3Amain+tool%3Agovulncheck) | |
| - name: Upload SARIF file | |
| uses: github/codeql-action/upload-sarif@192325c86100d080feab897ff886c34abd4c83a3 # v3.30.2 | |
| with: | |
| sarif_file: govulncheck.sarif | |
| category: govulncheck | |
| - name: Print code scanning results URL | |
| run: | | |
| echo "Results: https://github.com/${{ github.repository }}/security/code-scanning?query=is%3Aopen+branch%3Amain+tool%3Agovulncheck" |