fix(dashboard): restrict requireAdminToken query-param to GET only (PILOT-238) #13
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: security | |
| # Security CI baseline for the rendezvous registry. Gating jobs: | |
| # codeql — Go static analysis (security-and-quality) | |
| # gosec — Go SAST (HIGH/MEDIUM severity; accepted rule classes | |
| # excluded via .gosec.json, justified in that file) | |
| # govulncheck — known-vuln scan of the call graph (stdlib + deps) | |
| # gitleaks — secret scan over the diff/history | |
| # Each runs on push to main and on every PR targeting main. | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| permissions: | |
| contents: read | |
| jobs: | |
| codeql: | |
| name: CodeQL (Go) | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| security-events: write | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 | |
| with: | |
| go-version: '1.25.11' | |
| cache: true | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@dd903d2e4f5405488e5ef1422510ee31c8b32357 # v3 | |
| with: | |
| languages: go | |
| queries: security-and-quality | |
| - name: Build | |
| env: | |
| GOWORK: off | |
| run: go build ./... | |
| - name: Analyze | |
| uses: github/codeql-action/analyze@dd903d2e4f5405488e5ef1422510ee31c8b32357 # v3 | |
| with: | |
| category: /language:go | |
| gosec: | |
| name: gosec SAST | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 | |
| with: | |
| go-version: '1.25.11' | |
| cache: true | |
| - name: Run gosec | |
| env: | |
| GOWORK: off | |
| # Gate on HIGH and MEDIUM severity at MEDIUM+ confidence. Accepted | |
| # rule classes (length-conversion overflows, operator-config file | |
| # reads, 0644 registry persistence) are excluded in .gosec.json with | |
| # per-rule justification; nothing is blanket-disabled. | |
| run: | | |
| go run github.com/securego/gosec/v2/cmd/gosec@v2.22.9 \ | |
| -conf .gosec.json \ | |
| -severity medium \ | |
| -confidence medium \ | |
| ./... | |
| govulncheck: | |
| name: govulncheck | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 | |
| with: | |
| go-version: '1.25.11' | |
| cache: true | |
| - name: Run govulncheck | |
| env: | |
| GOWORK: off | |
| run: | | |
| go run golang.org/x/vuln/cmd/govulncheck@latest ./... | |
| gitleaks: | |
| name: gitleaks secret scan | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| fetch-depth: 0 | |
| # The gitleaks GitHub Action (gitleaks/gitleaks-action) requires a paid | |
| # GITLEAKS_LICENSE secret for ORGANIZATION repos. The gitleaks binary | |
| # itself is MIT-licensed and free, so we run a version-pinned binary | |
| # release directly — same scan, no license gate. | |
| - name: Install gitleaks | |
| env: | |
| GITLEAKS_VERSION: "8.30.1" | |
| run: | | |
| set -euo pipefail | |
| curl -sSL -o /tmp/gitleaks.tar.gz \ | |
| "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" | |
| tar -xzf /tmp/gitleaks.tar.gz -C /tmp gitleaks | |
| sudo install /tmp/gitleaks /usr/local/bin/gitleaks | |
| gitleaks version | |
| - name: Run gitleaks (full history) | |
| run: | | |
| gitleaks git --no-banner --redact --verbose . |