security.yml

 1name: "security"
 2
 3on:
 4  pull_request:
 5  push:
 6    branches: [main]
 7  schedule:
 8    - cron: "0 2 * * *"
 9
10permissions:
11  contents: read
12
13concurrency:
14  group: security-${{ github.event.pull_request.number || github.ref }}
15  cancel-in-progress: true
16
17jobs:
18  codeql:
19    runs-on: ubuntu-latest
20    strategy:
21      fail-fast: false
22      matrix:
23        language: ["go", "actions"]
24    permissions:
25      actions: read
26      contents: read
27      pull-requests: read
28      security-events: write
29    steps:
30      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
31        with:
32          persist-credentials: false
33      - uses: github/codeql-action/init@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4.31.7
34        with:
35          languages: ${{ matrix.language }}
36      - uses: github/codeql-action/autobuild@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4.31.7
37      - uses: github/codeql-action/analyze@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4.31.7
38
39  grype:
40    runs-on: ubuntu-latest
41    permissions:
42      security-events: write
43      actions: read
44      contents: read
45    steps:
46      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
47        with:
48          persist-credentials: false
49      - uses: anchore/scan-action@40a61b52209e9d50e87917c5b901783d546b12d0 # v7.2.1
50        id: scan
51        with:
52          path: "."
53          fail-build: true
54          severity-cutoff: critical
55      - uses: github/codeql-action/upload-sarif@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4.31.7
56        with:
57          sarif_file: ${{ steps.scan.outputs.sarif }}
58
59  govulncheck:
60    runs-on: ubuntu-latest
61    permissions:
62      security-events: write
63      contents: read
64    steps:
65      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
66        with:
67          persist-credentials: false
68      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
69        with:
70          go-version: 1.26.0-rc.1 # change to "stable" once Go 1.26 is released
71      - name: Install govulncheck
72        run: go install golang.org/x/vuln/cmd/govulncheck@latest
73      - name: Run govulncheck
74        run: |
75          govulncheck -C . -format sarif ./... > results.sarif
76      - uses: github/codeql-action/upload-sarif@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4.31.7
77        with:
78          sarif_file: results.sarif
79
80  dependency-review:
81    runs-on: ubuntu-latest
82    if: github.event_name == 'pull_request'
83    permissions:
84      contents: read
85    steps:
86      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
87        with:
88          persist-credentials: false
89      - uses: actions/dependency-review-action@3c4e3dcb1aa7874d2c16be7d79418e9b7efd6261 # v4.8.2
90        with:
91          fail-on-severity: critical
92          allow-licenses: BSD-2-Clause, BSD-3-Clause, MIT, Apache-2.0, MPL-2.0, ISC, LicenseRef-scancode-google-patent-license-golang