security.yml

 1name: "security"
 2
 3on:
 4  pull_request:
 5  push:
 6    branches: [main]
 7  schedule:
 8    - cron: "0 2 * * *"
 9
10permissions:
11  contents: read
12
13concurrency:
14  group: security-${{ github.event.pull_request.number || github.ref }}
15  cancel-in-progress: true
16
17jobs:
18  codeql:
19    runs-on: ubuntu-latest
20    strategy:
21      fail-fast: false
22      matrix:
23        language: ["go", "actions"]
24    permissions:
25      actions: read
26      contents: read
27      pull-requests: read
28      security-events: write
29    steps:
30      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
31        with:
32          persist-credentials: false
33      - uses: github/codeql-action/init@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4.31.7
34        with:
35          languages: ${{ matrix.language }}
36      - uses: github/codeql-action/autobuild@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4.31.7
37      - uses: github/codeql-action/analyze@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4.31.7
38
39  grype:
40    runs-on: ubuntu-latest
41    permissions:
42      security-events: write
43      actions: read
44      contents: read
45    steps:
46      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
47        with:
48          persist-credentials: false
49      - uses: anchore/scan-action@40a61b52209e9d50e87917c5b901783d546b12d0 # v7.2.1
50        id: scan
51        with:
52          path: "."
53          fail-build: true
54          severity-cutoff: critical
55      - uses: github/codeql-action/upload-sarif@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4.31.7
56        with:
57          sarif_file: ${{ steps.scan.outputs.sarif }}
58
59  govulncheck:
60    runs-on: ubuntu-latest
61    permissions:
62      security-events: write
63      contents: read
64    steps:
65      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
66        with:
67          persist-credentials: false
68      - uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee # v1.0.4
69        with:
70          output-format: sarif
71          output-file: results.sarif
72      - uses: github/codeql-action/upload-sarif@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4.31.7
73        with:
74          sarif_file: results.sarif
75
76  dependency-review:
77    runs-on: ubuntu-latest
78    if: github.event_name == 'pull_request'
79    permissions:
80      contents: read
81    steps:
82      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
83        with:
84          persist-credentials: false
85      - uses: actions/dependency-review-action@3c4e3dcb1aa7874d2c16be7d79418e9b7efd6261 # v4.8.2
86        with:
87          fail-on-severity: critical
88          allow-licenses: BSD-2-Clause, BSD-3-Clause, MIT, Apache-2.0, MPL-2.0, ISC