1name: Security
2
3on:
4 push:
5 branches: [master]
6 pull_request:
7 branches: [master]
8 schedule:
9 - cron: "0 6 * * 1"
10
11permissions:
12 contents: read
13 security-events: write
14 pull-requests: write
15
16jobs:
17 govulncheck:
18 name: govulncheck
19 runs-on: ubuntu-latest
20 steps:
21 - uses: actions/checkout@v6
22
23 - name: Set up Go
24 uses: actions/setup-go@v6
25 with:
26 go-version: "1.26.3"
27
28 - name: Install system dependencies
29 run: sudo apt-get update && sudo apt-get install -y libpcsclite-dev
30
31 - name: Run govulncheck
32 run: |
33 go install golang.org/x/vuln/cmd/govulncheck@latest
34 govulncheck -show verbose ./...
35
36 gosec:
37 name: gosec
38 runs-on: ubuntu-latest
39 steps:
40 - uses: actions/checkout@v6
41
42 - name: Set up Go
43 uses: actions/setup-go@v6
44 with:
45 go-version: "1.26.3"
46
47 - name: Install system dependencies
48 run: sudo apt-get update && sudo apt-get install -y libpcsclite-dev
49
50 - name: Run gosec
51 uses: securego/gosec@master
52 env:
53 GOTOOLCHAIN: auto
54 with:
55 args: "-no-fail -fmt=sarif -out=gosec.sarif -severity=medium -confidence=medium -exclude=G101,G115,G204,G304,G306,G401,G501 ./..."
56
57 - name: Upload SARIF
58 if: always() && hashFiles('gosec.sarif') != ''
59 uses: github/codeql-action/upload-sarif@v4
60 with:
61 sarif_file: gosec.sarif
62 category: gosec
63
64 trivy:
65 name: trivy
66 runs-on: ubuntu-latest
67 steps:
68 - uses: actions/checkout@v6
69
70 - name: Trivy filesystem scan
71 uses: aquasecurity/trivy-action@master
72 with:
73 scan-type: fs
74 scan-ref: .
75 format: sarif
76 output: trivy.sarif
77 severity: CRITICAL,HIGH,MEDIUM
78 ignore-unfixed: true
79 exit-code: "0"
80
81 - name: Upload SARIF
82 if: always()
83 uses: github/codeql-action/upload-sarif@v4
84 with:
85 sarif_file: trivy.sarif
86 category: trivy
87
88 - name: Trivy config scan
89 uses: aquasecurity/trivy-action@master
90 with:
91 scan-type: config
92 scan-ref: .
93 format: table
94 severity: CRITICAL,HIGH
95 exit-code: "1"
96 skip-dirs: docs/node_modules
97
98 codeql:
99 name: codeql
100 runs-on: ubuntu-latest
101 permissions:
102 security-events: write
103 actions: read
104 contents: read
105 steps:
106 - uses: actions/checkout@v6
107
108 - name: Set up Go
109 uses: actions/setup-go@v6
110 with:
111 go-version: "1.26.3"
112
113 - name: Install system dependencies
114 run: sudo apt-get update && sudo apt-get install -y libpcsclite-dev
115
116 - name: Initialize CodeQL
117 uses: github/codeql-action/init@v4
118 with:
119 languages: go
120 queries: security-extended
121
122 - name: Build
123 run: go build ./...
124
125 - name: Analyze
126 uses: github/codeql-action/analyze@v4
127 with:
128 category: codeql-go