security.yml

  1name: Security
  2
  3on:
  4  push:
  5    branches: [master]
  6  pull_request:
  7    branches: [master]
  8  schedule:
  9    - cron: "0 6 * * 1"
 10
 11permissions:
 12  contents: read
 13  security-events: write
 14  pull-requests: write
 15
 16jobs:
 17  govulncheck:
 18    name: govulncheck
 19    runs-on: ubuntu-latest
 20    steps:
 21      - uses: actions/checkout@v6
 22
 23      - name: Set up Go
 24        uses: actions/setup-go@v6
 25        with:
 26          go-version: "1.26.3"
 27
 28      - name: Install system dependencies
 29        run: sudo apt-get update && sudo apt-get install -y libpcsclite-dev
 30
 31      - name: Run govulncheck
 32        run: |
 33          go install golang.org/x/vuln/cmd/govulncheck@latest
 34          govulncheck -show verbose ./...
 35
 36  gosec:
 37    name: gosec
 38    runs-on: ubuntu-latest
 39    steps:
 40      - uses: actions/checkout@v6
 41
 42      - name: Set up Go
 43        uses: actions/setup-go@v6
 44        with:
 45          go-version: "1.26.3"
 46
 47      - name: Install system dependencies
 48        run: sudo apt-get update && sudo apt-get install -y libpcsclite-dev
 49
 50      - name: Run gosec
 51        uses: securego/gosec@master
 52        env:
 53          GOTOOLCHAIN: auto
 54        with:
 55          args: "-no-fail -fmt=sarif -out=gosec.sarif -severity=medium -confidence=medium -exclude=G101,G115,G204,G304,G306,G401,G501 ./..."
 56
 57      - name: Upload SARIF
 58        if: always() && hashFiles('gosec.sarif') != ''
 59        uses: github/codeql-action/upload-sarif@v4
 60        with:
 61          sarif_file: gosec.sarif
 62          category: gosec
 63
 64  trivy:
 65    name: trivy
 66    runs-on: ubuntu-latest
 67    steps:
 68      - uses: actions/checkout@v6
 69
 70      - name: Trivy filesystem scan
 71        uses: aquasecurity/trivy-action@master
 72        with:
 73          scan-type: fs
 74          scan-ref: .
 75          format: sarif
 76          output: trivy.sarif
 77          severity: CRITICAL,HIGH,MEDIUM
 78          ignore-unfixed: true
 79          exit-code: "0"
 80
 81      - name: Upload SARIF
 82        if: always()
 83        uses: github/codeql-action/upload-sarif@v4
 84        with:
 85          sarif_file: trivy.sarif
 86          category: trivy
 87
 88      - name: Trivy config scan
 89        uses: aquasecurity/trivy-action@master
 90        with:
 91          scan-type: config
 92          scan-ref: .
 93          format: table
 94          severity: CRITICAL,HIGH
 95          exit-code: "1"
 96          skip-dirs: docs/node_modules
 97
 98  codeql:
 99    name: codeql
100    runs-on: ubuntu-latest
101    permissions:
102      security-events: write
103      actions: read
104      contents: read
105    steps:
106      - uses: actions/checkout@v6
107
108      - name: Set up Go
109        uses: actions/setup-go@v6
110        with:
111          go-version: "1.26.3"
112
113      - name: Install system dependencies
114        run: sudo apt-get update && sudo apt-get install -y libpcsclite-dev
115
116      - name: Initialize CodeQL
117        uses: github/codeql-action/init@v4
118        with:
119          languages: go
120          queries: security-extended
121
122      - name: Build
123        run: go build ./...
124
125      - name: Analyze
126        uses: github/codeql-action/analyze@v4
127        with:
128          category: codeql-go