ci: add periodic security-scan cron workflow (#72) #91
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: ci | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| permissions: | |
| contents: read | |
| jobs: | |
| test: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - uses: actions/setup-go@v6 | |
| with: | |
| go-version: '1.26.x' | |
| - name: go vet | |
| run: go vet ./... | |
| - name: go test | |
| run: go test -race ./... | |
| - name: build | |
| run: make build | |
| security: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - uses: actions/setup-go@v6 | |
| with: | |
| go-version: '1.26.x' | |
| - name: install gosec | |
| run: go install github.com/securego/gosec/v2/cmd/gosec@latest | |
| # Tracks: golang.org/x/vuln/cmd/govulncheck@v1.1.4 | |
| # Pinned to an explicit version so a compromised or buggy upstream | |
| # release cannot silently land in CI between Renovate bumps. The | |
| # tracked tag in this comment must move in lockstep with the | |
| # `@vX.Y.Z` below — same convention as the Trivy action pin in the | |
| # `image-scan` job (#68) and the Dockerfile base-image digest pins | |
| # (#32). | |
| - name: install govulncheck | |
| run: go install golang.org/x/vuln/cmd/govulncheck@v1.1.4 | |
| - name: gosec | |
| run: gosec ./... | |
| - name: govulncheck | |
| run: govulncheck ./... | |
| image-scan: | |
| runs-on: ubuntu-latest | |
| # Belt-and-suspenders: the workflow-level permissions block above | |
| # already grants only `contents: read`, but a future top-level | |
| # escalation would silently widen this job's scope without the | |
| # explicit declaration. Pin the minimum here so a regression in the | |
| # workflow header doesn't grant the scanner write tokens. | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - name: build image | |
| # The scan operates on the same artifact a PR would publish. | |
| run: docker build -t pyrycode-relay:${{ github.sha }} . | |
| # Tracks: aquasecurity/trivy-action@v0.36.0 | |
| # Pinned by commit SHA so a tag-swap upstream cannot change what | |
| # runs against our image between Renovate bumps. Refresh the | |
| # comment in lockstep with the SHA so a reviewer can sanity-check | |
| # which release the digest refers to. Same convention as the | |
| # Dockerfile base-image digest pins (#32). | |
| - name: trivy image scan | |
| uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 | |
| with: | |
| image-ref: pyrycode-relay:${{ github.sha }} | |
| format: table | |
| severity: CRITICAL,HIGH | |
| # Only fixable CVEs fail the build. CVEs with no upstream | |
| # patch produce no actionable work and would block every PR | |
| # until someone unrelated to the change fixes them. | |
| ignore-unfixed: true | |
| # Cover both OS packages and language manifests / Go binary | |
| # content Trivy can re-derive. Some overlap with govulncheck | |
| # (#41) is intentional: govulncheck audits source + reachability; | |
| # Trivy audits what physically shipped in the image. | |
| vuln-type: os,library | |
| exit-code: '1' |