security.yml

  1name: Security
  2
  3on:
  4  push:
  5    branches: [master, release/v1]
  6  pull_request:
  7    branches: [master, release/v1]
  8  merge_group:
  9  schedule:
 10    - cron: "0 6 * * 1"
 11
 12permissions:
 13  contents: read
 14  security-events: write
 15  pull-requests: write
 16
 17jobs:
 18  govulncheck:
 19    name: govulncheck
 20    runs-on: ubuntu-latest
 21    steps:
 22      - uses: actions/checkout@v7
 23
 24      - name: Set up Go
 25        uses: actions/setup-go@v6
 26        with:
 27          go-version: "1.26.4"
 28
 29      - name: Install system dependencies
 30        run: sudo apt-get update && sudo apt-get install -y libpcsclite-dev
 31
 32      - name: Run govulncheck
 33        run: |
 34          go install golang.org/x/vuln/cmd/govulncheck@latest
 35          govulncheck -show verbose ./...
 36
 37  gosec:
 38    name: gosec
 39    runs-on: ubuntu-latest
 40    steps:
 41      - uses: actions/checkout@v7
 42
 43      - name: Set up Go
 44        uses: actions/setup-go@v6
 45        with:
 46          go-version: "1.26.4"
 47
 48      - name: Install system dependencies
 49        run: sudo apt-get update && sudo apt-get install -y libpcsclite-dev
 50
 51      - name: Run gosec
 52        uses: securego/gosec@master
 53        env:
 54          GOTOOLCHAIN: auto
 55        with:
 56          args: "-no-fail -fmt=sarif -out=gosec.sarif -severity=medium -confidence=medium -exclude=G101,G115,G204,G304,G306,G401,G501 ./..."
 57
 58      - name: Upload SARIF
 59        if: always() && hashFiles('gosec.sarif') != ''
 60        uses: github/codeql-action/upload-sarif@v4
 61        with:
 62          sarif_file: gosec.sarif
 63          category: gosec
 64
 65  trivy:
 66    name: trivy
 67    runs-on: ubuntu-latest
 68    steps:
 69      - uses: actions/checkout@v7
 70
 71      - name: Trivy filesystem scan
 72        uses: aquasecurity/trivy-action@master
 73        with:
 74          scan-type: fs
 75          scan-ref: .
 76          format: sarif
 77          output: trivy.sarif
 78          severity: CRITICAL,HIGH,MEDIUM
 79          ignore-unfixed: true
 80          exit-code: "0"
 81
 82      - name: Upload SARIF
 83        if: always()
 84        uses: github/codeql-action/upload-sarif@v4
 85        with:
 86          sarif_file: trivy.sarif
 87          category: trivy
 88
 89      - name: Trivy config scan
 90        uses: aquasecurity/trivy-action@master
 91        with:
 92          scan-type: config
 93          scan-ref: .
 94          format: table
 95          severity: CRITICAL,HIGH
 96          exit-code: "1"
 97          skip-dirs: docs/node_modules
 98
 99  codeql:
100    name: codeql
101    runs-on: ubuntu-latest
102    permissions:
103      security-events: write
104      actions: read
105      contents: read
106    steps:
107      - uses: actions/checkout@v7
108
109      - name: Set up Go
110        uses: actions/setup-go@v6
111        with:
112          go-version: "1.26.4"
113
114      - name: Install system dependencies
115        run: sudo apt-get update && sudo apt-get install -y libpcsclite-dev
116
117      - name: Initialize CodeQL
118        uses: github/codeql-action/init@v4
119        with:
120          languages: go
121          queries: security-extended
122
123      - name: Build
124        run: go build ./...
125
126      - name: Analyze
127        uses: github/codeql-action/analyze@v4
128        with:
129          category: codeql-go