ivuorinen/gh-action-readme
1
0
Fork 0
mirror of https://github.com/ivuorinen/gh-action-readme.git synced 2026-01-26 11:14:04 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
f3693e67fc806b59f6a5396aa9e5dc0ed29a2817
gh-action-readme/.github/workflows/security.yml
Ismo Vuorinen f3693e67fc feat: gen command enhancements, race condition fixes, workflow tweaks (#21) 
* feat: enhance gen command with directory/file arguments and custom output filenames

- Add positional argument support for targeting specific directories or files
- Add --output flag for custom output filename specification
- Implement resolveOutputPath method to handle absolute and relative custom paths
- Update CLI interface with comprehensive examples and help text
- Fix race condition in FixtureManager cache access with RWMutex synchronization
- Update .gitignore to cover additional generated file types (html, json)
- Maintain backward compatibility with existing gen command usage

This enhancement enables generating documentation for multiple actions in the same
directory without filename conflicts, while supporting flexible file targeting.

* feat: enhance CI workflow and standardize license filename

- Update CI workflow to use new gen command functionality with directory targeting
- Remove working-directory requirement by using positional arguments
- Add comprehensive documentation generation with multiple formats (md, html, json)
- Test single file targeting and recursive generation with themes
- Add artifact upload for generated documentation files
- Standardize license filename from LICENSE.md to LICENSE following GitHub conventions
- Clean up duplicate license files

The enhanced workflow demonstrates all new gen command features including
directory targeting, custom output filenames, multiple formats, and themes.

* fix: resolve all linting and EditorConfig violations

Fixed remaining code quality issues:
- Line length violation in TODO.md by breaking long summary
- Trailing whitespace removal from CI workflow, CLAUDE.md, and TODO.md
- Indentation consistency fixes in CI workflow YAML
- Security workflow cleanup for better formatting

All linters now pass:
- golangci-lint: 0 issues
- EditorConfig: No violations detected

Project maintains enterprise-grade code quality standards.

* refactor: optimize security workflow by removing Snyk and reducing duplication

Streamlined security scanning workflow:
- Remove Snyk job to eliminate redundancy with govulncheck and Trivy
- Add comprehensive coverage documentation explaining each tool's purpose
- Ensure consistent action version pinning across all jobs
- Maintain complete security protection with govulncheck, Trivy, gitleaks, and dependency-review

Benefits:
- Reduced execution time by ~2-3 minutes per workflow run
- Simplified secret management (no SNYK_TOKEN required)
- Lower complexity while maintaining enterprise-grade security coverage
- Better workflow maintainability with clear job documentation

Security coverage remains comprehensive with Go-specific vulnerability scanning,
multi-language dependency analysis, secrets detection, and PR-level dependency review.
2025-08-06 09:38:03 +03:00

130 lines
3.7 KiB
YAML
Raw Blame History

---
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
name: 'Security Scanning'
on:
push:
branches: ['main']
pull_request:
branches: ['main']
schedule:
# Run security scans every Sunday at 2:00 AM UTC
- cron: '0 2 * * 0'
merge_group:
permissions:
contents: read
security-events: write
actions: read
pull-requests: write
jobs:
# Comprehensive security coverage:
# - govulncheck: Go-specific vulnerability scanning
# - trivy: Multi-language dependency & filesystem scanning
# - gitleaks: Secrets detection in code history
# - dependency-review: PR-level dependency analysis
govulncheck:
name: Go Vulnerability Check
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4 # v4.2.2
- name: Set up Go
uses: actions/setup-go@v5 # v5.5.0
with:
go-version-file: 'go.mod'
check-latest: true
- name: Install govulncheck
run: go install golang.org/x/vuln/cmd/govulncheck@latest
- name: Run govulncheck
run: govulncheck ./...
trivy:
name: Trivy Security Scan
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4 # v4.2.2
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@master # 0.32.0
with:
scan-type: 'fs'
scan-ref: '.'
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH,MEDIUM'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3 # v3.29.5
if: always()
with:
sarif_file: 'trivy-results.sarif'
- name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph
uses: aquasecurity/trivy-action@master # 0.32.0
with:
scan-type: 'fs'
format: 'github'
output: 'dependency-results.sbom.json'
image-ref: '.'
github-pat: ${{ secrets.GITHUB_TOKEN }}
secrets:
name: Secrets Detection
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4 # v4.2.2
with:
fetch-depth: 0 # Full history for gitleaks
- name: Run gitleaks to detect secrets
uses: gitleaks/gitleaks-action@v2 # v2.4.0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE}} # Only required for gitleaks-action pro
docker-security:
name: Docker Image Security
runs-on: ubuntu-latest
if: github.event_name != 'pull_request' # Skip on PRs to avoid building images unnecessarily
steps:
- name: Checkout repository
uses: actions/checkout@v4 # v4.2.2
- name: Build Docker image
run: docker build -t gh-action-readme:test .
- name: Run Trivy vulnerability scanner on Docker image
uses: aquasecurity/trivy-action@master # 0.32.0
with:
image-ref: 'gh-action-readme:test'
format: 'sarif'
output: 'trivy-docker-results.sarif'
- name: Upload Docker Trivy scan results
uses: github/codeql-action/upload-sarif@v3 # v3.29.5
if: always()
with:
sarif_file: 'trivy-docker-results.sarif'
dependency-review:
name: Dependency Review
runs-on: ubuntu-latest
if: github.event_name == 'pull_request'
steps:
- name: Checkout repository
uses: actions/checkout@v4 # v4.2.2
- name: Dependency Review
uses: actions/dependency-review-action@v4 # v4.7.1
with:
fail-on-severity: high
comment-summary-in-pr: always
Reference in New Issue View Git Blame Copy Permalink