Skip to content

Add comprehensive security scanning workflows #258

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add comprehensive security scanning workflows #258

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
142 changes: 142 additions & 0 deletions .github/workflows/codeql-analysis.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,142 @@
name: "CodeQL Security Analysis"

on:
push:
branches: [ master ]
pull_request:
branches: [ master ]
schedule:
# Run CodeQL analysis weekly on Mondays at 2 AM UTC
- cron: '0 2 * * 1'
workflow_dispatch:

permissions:
actions: read
contents: read
security-events: write

jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
timeout-minutes: 360

strategy:
fail-fast: false
matrix:
language: [ 'go' ]

steps:
- name: Checkout repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

- name: Initialize CodeQL
uses: github/codeql-action/init@e2b3eafc8d227b0241d48be5f425d47c2d750a13 # v3.26.10
with:
languages: ${{ matrix.language }}
# Override default queries to include security-extended for more comprehensive analysis
queries: security-extended,security-and-quality

- name: Set up Go
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
go-version: '1.24.9'

- name: Autobuild
uses: github/codeql-action/autobuild@e2b3eafc8d227b0241d48be5f425d47c2d750a13 # v3.26.10

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@e2b3eafc8d227b0241d48be5f425d47c2d750a13 # v3.26.10
with:
category: "/language:${{matrix.language}}"
upload: false

vulnerability-scan:
name: Go Vulnerability Scan
runs-on: ubuntu-latest
timeout-minutes: 30

steps:
- name: Checkout repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

- name: Set up Go
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
go-version: '1.24.9'

- name: Run govulncheck
run: |
go install golang.org/x/vuln/cmd/govulncheck@d1f380186385b4f64e00313f31743df8e4b89a77 # v1.1.4
govulncheck ./...
Comment on lines +68 to +71
Copy link
Contributor

@jj22ee jj22ee Nov 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this fail the workflow if there are vulnerabilities?


- name: Run Go security checker (gosec)
run: |
go install github.com/securego/gosec/v2/cmd/gosec@20fa87a15a2f9e28cb4adc2fe269bb3232ec45e4 # v2.22.9
# Use JSON format instead of SARIF to avoid validation issues
gosec -fmt json -out gosec-results.json ./... || echo "gosec completed"

- name: Upload gosec results as artifact
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
if: always() && hashFiles('gosec-results.json') != ''
with:
name: gosec-security-results
path: gosec-results.json

module-scan:
name: Go Module Security Scan
runs-on: ubuntu-latest
timeout-minutes: 30

steps:
- name: Checkout repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

- name: Set up Go
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
go-version: '1.24.9'

- name: Run Trivy for Go module scanning
uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
continue-on-error: true
with:
scan-type: 'fs'
scan-ref: '.'
format: 'sarif'
output: 'trivy-go-results.sarif'
# Focus on Go modules and high/critical vulnerabilities
scanners: 'vuln'
severity: 'HIGH,CRITICAL'

- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@e2b3eafc8d227b0241d48be5f425d47c2d750a13 # v3.26.10
if: always() && hashFiles('trivy-go-results.sarif') != ''
with:
sarif_file: trivy-go-results.sarif
category: 'trivy-go-modules'

- name: Generate Go module dependency report
env:
GOFLAGS: -mod=mod
run: |
# Ensure go.sum is up to date
go mod tidy

# Generate comprehensive dependency information
go mod graph > go-mod-graph.txt
go mod why -m all > go-mod-why.txt
go list -m -versions all > go-mod-versions.txt

- name: Upload Go module reports
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
if: always()
with:
name: go-module-reports
path: |
go.list
go-mod-graph.txt
go-mod-why.txt
go-mod-versions.txt
trivy-go-results.sarif
Comment on lines +137 to +141
Copy link
Contributor

@jj22ee jj22ee Nov 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How will we be using these report files? Is it for PR authors to look at?


Loading
Loading