mirror of
https://github.com/ivuorinen/gibidify.git
synced 2026-01-26 03:24:05 +00:00
Ismo Vuorinen
3f65b813bd
* chore(ci): update go to 1.25, add permissions and envs * fix(ci): update pr-lint.yml * chore: update go, fix linting * fix: tests and linting * fix(lint): lint fixes, renovate should now pass * fix: updates, security upgrades * chore: workflow updates, lint * fix: more lint, checkmake, and other fixes * fix: more lint, convert scripts to POSIX compliant * fix: simplify codeql workflow * tests: increase test coverage, fix found issues * fix(lint): editorconfig checking, add to linters * fix(lint): shellcheck, add to linters * fix(lint): apply cr comment suggestions * fix(ci): remove step-security/harden-runner * fix(lint): remove duplication, apply cr fixes * fix(ci): tests in CI/CD pipeline * chore(lint): deduplication of strings * fix(lint): apply cr comment suggestions * fix(ci): actionlint * fix(lint): apply cr comment suggestions * chore: lint, add deps management
97 lines
2.9 KiB
YAML
97 lines
2.9 KiB
YAML
name: Security Scan
|
|
|
|
on:
|
|
push:
|
|
branches: [main, develop]
|
|
pull_request:
|
|
branches: [main, develop]
|
|
schedule:
|
|
# Run security scan weekly on Sundays at 00:00 UTC
|
|
- cron: "0 0 * * 0"
|
|
|
|
permissions: {}
|
|
|
|
jobs:
|
|
security:
|
|
name: Security Analysis
|
|
runs-on: ubuntu-latest
|
|
|
|
permissions:
|
|
security-events: write
|
|
contents: read
|
|
actions: read
|
|
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
|
|
|
|
- name: Setup Go
|
|
uses: ./.github/actions/setup
|
|
with:
|
|
token: ${{ github.token }}
|
|
|
|
# Security Scanning with gosec
|
|
- name: Run gosec Security Scanner
|
|
uses: securego/gosec@15d5c61e866bc2e2e8389376a31f1e5e09bde7d8 # v2.22.9
|
|
with:
|
|
args: "-fmt sarif -out gosec-results.sarif ./..."
|
|
|
|
- name: Upload gosec results to GitHub Security tab
|
|
uses: github/codeql-action/upload-sarif@e296a935590eb16afc0c0108289f68c87e2a89a5 # v4.30.7
|
|
if: always()
|
|
with:
|
|
sarif_file: gosec-results.sarif
|
|
|
|
# Dependency Vulnerability Scanning
|
|
- name: Run govulncheck
|
|
run: |
|
|
go install golang.org/x/vuln/cmd/govulncheck@latest
|
|
govulncheck -json ./... > govulncheck-results.json || true
|
|
|
|
- name: Parse govulncheck results
|
|
run: |
|
|
if [ -s govulncheck-results.json ]; then
|
|
echo "::warning::Vulnerability check completed. Check govulncheck-results.json for details."
|
|
if grep -i -q '"finding"' govulncheck-results.json; then
|
|
echo "::error::Vulnerabilities found in dependencies!"
|
|
cat govulncheck-results.json
|
|
exit 1
|
|
fi
|
|
fi
|
|
|
|
# Makefile Linting
|
|
- name: Run checkmake on Makefile
|
|
run: |
|
|
go install github.com/checkmake/checkmake/cmd/checkmake@latest
|
|
checkmake --config=.checkmake Makefile
|
|
|
|
# Shell Script Formatting Check
|
|
- name: Check shell script formatting
|
|
run: |
|
|
go install mvdan.cc/sh/v3/cmd/shfmt@latest
|
|
shfmt -d .
|
|
|
|
- name: Run YAML linting
|
|
uses: ibiqlik/action-yamllint@2576378a8e339169678f9939646ee3ee325e845c # v3.1.1
|
|
with:
|
|
file_or_dir: .
|
|
strict: true
|
|
|
|
# Docker Security (if Dockerfile exists)
|
|
- name: Run Docker security scan
|
|
if: hashFiles('Dockerfile') != ''
|
|
run: |
|
|
docker run --rm -v "$PWD":/workspace \
|
|
aquasec/trivy:latest fs --security-checks vuln,config /workspace/Dockerfile || true
|
|
|
|
# Upload artifacts for review
|
|
- name: Upload security scan results
|
|
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
|
|
if: always()
|
|
with:
|
|
name: security-scan-results
|
|
path: |
|
|
gosec-results.sarif
|
|
govulncheck-results.json
|
|
retention-days: 30
|