Incorporate govulncheck into workflows
This commit is contained in:
Andy Feller
parent
28b9470ba7
commit
bd6b862b63
2 changed files with 46 additions and 1 deletions
27
.github/workflows/govulncheck.yml
vendored
Normal file
27
.github/workflows/govulncheck.yml
vendored
Normal file
|
|
@ -0,0 +1,27 @@
|
|||
name: Go Vulnerability Check
|
||||
on:
|
||||
schedule:
|
||||
- cron: "0 0 * * 1" # Every Monday at midnight UTC
|
||||
jobs:
|
||||
govulncheck:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Check out code
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Set up Go
|
||||
uses: actions/setup-go@v5
|
||||
with:
|
||||
go-version-file: 'go.mod'
|
||||
|
||||
# `govulncheck -format sarif` exits successfully regardless of results, which are not in stdout.
|
||||
# See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck#hdr-Exit_codes for more information on exit codes.
|
||||
- name: Check Go vulnerabilities
|
||||
run: |
|
||||
make
|
||||
go run golang.org/x/vuln/cmd/govulncheck@d1f380186385b4f64e00313f31743df8e4b89a77 -mode=binary -format sarif bin/gh > gh.sarif
|
||||
|
||||
- name: Upload SARIF report
|
||||
uses: github/codeql-action/upload-sarif@9b02dc2f60288b463e7a66e39c78829b62780db7 # 2.22.1
|
||||
with:
|
||||
sarif_file: gh.sarif
|
||||
20
.github/workflows/lint.yml
vendored
20
.github/workflows/lint.yml
vendored
|
|
@ -23,7 +23,6 @@ permissions:
|
|||
jobs:
|
||||
lint:
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
- name: Check out code
|
||||
uses: actions/checkout@v4
|
||||
|
|
@ -64,3 +63,22 @@ jobs:
|
|||
export PATH=${GOROOT}/bin:$PATH
|
||||
go install github.com/google/go-licenses@5348b744d0983d85713295ea08a20cca1654a45e
|
||||
make licenses-check
|
||||
|
||||
# Discover vulnerabilities within Go standard libraries used to build GitHub CLI using govulncheck.
|
||||
govulncheck:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Check out code
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Set up Go
|
||||
uses: actions/setup-go@v5
|
||||
with:
|
||||
go-version-file: 'go.mod'
|
||||
|
||||
# `govulncheck` exits unsuccessfully if vulnerabilities are found, providing results in stdout.
|
||||
# See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck#hdr-Exit_codes for more information on exit codes.
|
||||
- name: Check Go vulnerabilities
|
||||
run: |
|
||||
make
|
||||
go run golang.org/x/vuln/cmd/govulncheck@d1f380186385b4f64e00313f31743df8e4b89a77 -mode=binary bin/gh
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue