-
Notifications
You must be signed in to change notification settings - Fork 51
132 lines (113 loc) · 3.75 KB
/
security.yml
File metadata and controls
132 lines (113 loc) · 3.75 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
# Copyright 2026 Phillip Cloud
# Licensed under the Apache License, Version 2.0
name: Security
on:
push:
branches: [main]
pull_request:
branches: [main]
permissions:
contents: read
jobs:
changes:
name: Detect Changes
runs-on: ubuntu-latest
outputs:
go: ${{ steps.detect.outputs.go }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
sparse-checkout: .github/detect-go-changes.bash
sparse-checkout-cone-mode: false
persist-credentials: false
- name: Check for Go-related changes
id: detect
env:
GH_TOKEN: ${{ github.token }}
run: |
go=$(bash .github/detect-go-changes.bash \
"${{ github.event_name }}" \
"${{ github.event.pull_request.number }}" \
"${{ github.event.before }}" \
"${{ github.sha }}")
echo "go=$go" >> "$GITHUB_OUTPUT"
govulncheck:
name: Vulnerability Check
needs: changes
if: needs.changes.outputs.go == 'true'
runs-on: ubuntu-latest
concurrency:
group: security-govulncheck-${{ github.ref }}
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- uses: cachix/install-nix-action@19effe9fe722874e6d46dd7182e4b8b7a43c4a99 # v31.10.0
- name: Run govulncheck
run: nix run '.#govulncheck'
osv-scanner:
name: OSV Scan
needs: changes
if: needs.changes.outputs.go == 'true'
runs-on: ubuntu-latest
concurrency:
group: security-osv-scanner-${{ github.ref }}
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- uses: cachix/install-nix-action@19effe9fe722874e6d46dd7182e4b8b7a43c4a99 # v31.10.0
- name: Run osv-scanner
run: nix run '.#osv-scanner'
secrets:
name: Secret Scan
runs-on: ubuntu-latest
concurrency:
group: security-secrets-${{ github.ref }}
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
fetch-depth: 0
persist-credentials: false
- uses: trufflesecurity/trufflehog@6c05c4a00b91aa542267d8e32a8254774799d68d # v3.93.8
with:
extra_args: --only-verified
codeql:
name: CodeQL (Go)
needs: changes
if: needs.changes.outputs.go == 'true'
runs-on: ubuntu-latest
concurrency:
group: security-codeql-${{ github.ref }}
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
permissions:
security-events: write
env:
CGO_ENABLED: "0"
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
with:
go-version: "1.25"
- name: Initialize CodeQL
uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
with:
languages: go
build-mode: manual
- name: Build
run: go build ./...
- name: Perform CodeQL analysis
uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
result:
name: Security / Result
if: always()
needs: [changes, govulncheck, osv-scanner, secrets, codeql]
runs-on: ubuntu-latest
steps:
- run: exit 1
if: contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled')