1name: Security
2
3on:
4 push:
5 branches: [master, release/v1]
6 pull_request:
7 branches: [master, release/v1]
8 merge_group:
9 schedule:
10 - cron: "0 6 * * 1"
11
12permissions:
13 contents: read
14 security-events: write
15 pull-requests: write
16
17jobs:
18 govulncheck:
19 name: govulncheck
20 runs-on: ubuntu-latest
21 steps:
22 - uses: actions/checkout@v7
23
24 - name: Set up Go
25 uses: actions/setup-go@v6
26 with:
27 go-version: "1.26.4"
28
29 - name: Install system dependencies
30 run: sudo apt-get update && sudo apt-get install -y libpcsclite-dev
31
32 - name: Run govulncheck
33 run: |
34 go install golang.org/x/vuln/cmd/govulncheck@latest
35 govulncheck -show verbose ./...
36
37 gosec:
38 name: gosec
39 runs-on: ubuntu-latest
40 steps:
41 - uses: actions/checkout@v7
42
43 - name: Set up Go
44 uses: actions/setup-go@v6
45 with:
46 go-version: "1.26.4"
47
48 - name: Install system dependencies
49 run: sudo apt-get update && sudo apt-get install -y libpcsclite-dev
50
51 - name: Run gosec
52 uses: securego/gosec@master
53 env:
54 GOTOOLCHAIN: auto
55 with:
56 args: "-no-fail -fmt=sarif -out=gosec.sarif -severity=medium -confidence=medium -exclude=G101,G115,G204,G304,G306,G401,G501 ./..."
57
58 - name: Upload SARIF
59 if: always() && hashFiles('gosec.sarif') != ''
60 uses: github/codeql-action/upload-sarif@v4
61 with:
62 sarif_file: gosec.sarif
63 category: gosec
64
65 trivy:
66 name: trivy
67 runs-on: ubuntu-latest
68 steps:
69 - uses: actions/checkout@v7
70
71 - name: Trivy filesystem scan
72 uses: aquasecurity/trivy-action@master
73 with:
74 scan-type: fs
75 scan-ref: .
76 format: sarif
77 output: trivy.sarif
78 severity: CRITICAL,HIGH,MEDIUM
79 ignore-unfixed: true
80 exit-code: "0"
81
82 - name: Upload SARIF
83 if: always()
84 uses: github/codeql-action/upload-sarif@v4
85 with:
86 sarif_file: trivy.sarif
87 category: trivy
88
89 - name: Trivy config scan
90 uses: aquasecurity/trivy-action@master
91 with:
92 scan-type: config
93 scan-ref: .
94 format: table
95 severity: CRITICAL,HIGH
96 exit-code: "1"
97 skip-dirs: docs/node_modules
98
99 codeql:
100 name: codeql
101 runs-on: ubuntu-latest
102 permissions:
103 security-events: write
104 actions: read
105 contents: read
106 steps:
107 - uses: actions/checkout@v7
108
109 - name: Set up Go
110 uses: actions/setup-go@v6
111 with:
112 go-version: "1.26.4"
113
114 - name: Install system dependencies
115 run: sudo apt-get update && sudo apt-get install -y libpcsclite-dev
116
117 - name: Initialize CodeQL
118 uses: github/codeql-action/init@v4
119 with:
120 languages: go
121 queries: security-extended
122
123 - name: Build
124 run: go build ./...
125
126 - name: Analyze
127 uses: github/codeql-action/analyze@v4
128 with:
129 category: codeql-go