-
Notifications
You must be signed in to change notification settings - Fork 0
152 lines (143 loc) · 4.8 KB
/
Copy pathsecurity.yml
File metadata and controls
152 lines (143 loc) · 4.8 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
name: security
on:
push:
branches: [main]
pull_request:
branches: [main]
# Least privilege at the workflow level; jobs widen only where required
# (CodeQL needs security-events: write to upload SARIF).
permissions:
contents: read
concurrency:
group: security-${{ github.ref }}
cancel-in-progress: true
jobs:
# Race-gated test as a hard security gate. Mirrors ci.yml's test step
# but stands on its own so the security workflow is self-contained and
# required even if ci.yml is refactored. -race catches the data races
# that the concurrent allowlist refresh (runtime.go) could introduce.
race-test:
name: go test -race
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v7
- uses: actions/setup-go@v6
with:
go-version: '1.25'
cache: true
- name: go test -race
env:
GOWORK: off
run: go test -race -parallel 4 ./...
# govulncheck — known-vulnerability scan over the call graph. Surfaces
# CVEs in both our deps and the standard library that our code actually
# reaches. Uses the toolchain pinned by setup-go; '1.25' resolves to the
# latest patched 1.25.x, which carries the stdlib fixes.
govulncheck:
name: govulncheck
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v7
- uses: actions/setup-go@v6
with:
go-version: '1.25'
cache: true
- name: Install govulncheck
run: go install golang.org/x/vuln/cmd/govulncheck@latest
- name: Run govulncheck
env:
GOWORK: off
run: govulncheck ./...
# gosec — static analysis for insecure Go patterns (unsafe, weak crypto,
# path traversal, etc.). Uploads SARIF so findings appear in the
# Security tab. No blanket disables; the curated -exclude list documents
# accepted findings inline (see flags below).
gosec:
name: gosec
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- uses: actions/checkout@v7
- uses: actions/setup-go@v6
with:
go-version: '1.25'
cache: true
- name: Run gosec
uses: securego/gosec@master
with:
# SARIF for the Security tab; fail the job on any finding.
# No rules are globally disabled — the package currently has
# zero gosec findings, so there is nothing to exclude.
args: '-no-fail -fmt sarif -out gosec-results.sarif ./...'
- name: Upload gosec SARIF
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: gosec-results.sarif
category: gosec
- name: Fail on gosec findings
run: |
count=$(grep -c '"ruleId"' gosec-results.sarif || true)
if [ "${count:-0}" -gt 0 ]; then
echo "::error::gosec reported ${count} finding(s)"
exit 1
fi
echo "gosec: 0 findings"
# gitleaks — secret scanning over the working tree and git history.
# We run the gitleaks binary directly rather than gitleaks-action@v2,
# which now requires a paid GITLEAKS_LICENSE for organization repos.
# The binary scan is identical and license-free.
gitleaks:
name: gitleaks
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v7
with:
fetch-depth: 0
- name: Install gitleaks
run: |
VERSION=8.30.1
curl -sSfL "https://github.com/gitleaks/gitleaks/releases/download/v${VERSION}/gitleaks_${VERSION}_linux_x64.tar.gz" \
| tar -xz -C /usr/local/bin gitleaks
gitleaks version
- name: Run gitleaks (git history)
run: gitleaks git . --no-banner --redact --exit-code 1
# CodeQL — semantic SAST for Go. Default + security-extended queries.
codeql:
name: codeql
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- uses: actions/checkout@v7
- uses: actions/setup-go@v6
with:
go-version: '1.25'
cache: true
- name: Initialize CodeQL
uses: github/codeql-action/init@v4
with:
languages: go
queries: security-extended
- name: Autobuild
uses: github/codeql-action/autobuild@v4
env:
GOWORK: off
- name: Perform CodeQL analysis
uses: github/codeql-action/analyze@v4
with:
category: '/language:go'
# dependency-review — blocks PRs that introduce vulnerable or
# incompatibly-licensed dependencies. PR-only (needs a base to diff).
dependency-review:
name: dependency-review
runs-on: ubuntu-latest
if: github.event_name == 'pull_request'
steps:
- uses: actions/checkout@v7
- name: Dependency review
uses: actions/dependency-review-action@v5
with:
fail-on-severity: moderate