Merge pull request #274 from AlphaOne1/dependabot/github_actions/acti… #776

Workflow file for this run

.github/workflows/security.yml at 5c63833

	# SPDX-FileCopyrightText: 2026 The SonicWeb contributors.
	# SPDX-License-Identifier: MPL-2.0

	name: Security

	on:
	push:
	branches:
	- master
	pull_request:
	branches:
	- master

	# Declare default permissions as read-only.
	permissions: read-all

	jobs:
	GolangCI:
	runs-on: ubuntu-latest
	permissions:
	contents: read
	security-events: write
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
	with:
	egress-policy: audit

	- name: Checkout
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	fetch-depth: 1

	- name: Run golangci-lint
	uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
	with:
	version: latest
	args: --timeout=5m --output.sarif.path=golangci-lint-results.sarif --output.text.path=stdout

	- name: Upload golangci-lint results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
	with:
	sarif_file: golangci-lint-results.sarif

	TrivyCode:
	runs-on: ubuntu-latest
	permissions:
	contents: read
	security-events: write
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
	with:
	egress-policy: audit

	- name: Checkout code
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

	- name: Run Trivy vulnerability scanner in repo mode
	uses: aquasecurity/trivy-action@e368e328979b113139d6f9068e03accaed98a518 # 0.34.1
	with:
	scan-type: 'fs'
	ignore-unfixed: true
	format: 'sarif'
	output: 'trivy-results.sarif'
	severity: 'CRITICAL'

	- name: Upload Trivy scan results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
	with:
	sarif_file: 'trivy-results.sarif'

	VulnerabilityCheck:
	strategy:
	matrix:
	go-version:
	- "stable"
	runs-on: ubuntu-latest
	permissions:
	contents: read
	security-events: write
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
	with:
	egress-policy: audit

	- name: Checkout
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	fetch-depth: 1

	- name: Vulnerability Check
	uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee # v1.0.4
	with:
	repo-checkout: false
	go-version-input: ${{matrix.go-version}}
	output-format: sarif
	output-file: govulncheck-results.sarif

	- name: Print Sarif
	id: printSarif
	run: \|
	cat govulncheck-results.sarif
	if grep results govulncheck-results.sarif
	then
	echo "hasResults=true" >> $GITHUB_OUTPUT
	else
	echo "hasResults=false" >> $GITHUB_OUTPUT
	fi

	- name: Upload govulncheck results to Security tab
	if: ${{ steps.printSarif.outputs.hasResults == 'true' }}
	uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
	with:
	sarif_file: govulncheck-results.sarif

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Merge pull request #274 from AlphaOne1/dependabot/github_actions/acti… #776

Workflow file

Merge pull request #274 from AlphaOne1/dependabot/github_actions/acti… #776

Uh oh!

Workflow file for this run