govulncheck-action

command module
v0.0.6 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 6, 2022 License: Apache-2.0 Imports: 7 Imported by: 0

README ¶

Golang Vulncheck

CI Flow Release Process

This action uses govulncheck to perform a scan of the code, afterwards it will parse the output and transform it into an Sarif Report, which will be uploaded to Github using the code-scanning API. Please note this requires write-permission for security_events. The result should then be visible within the security-tab. By default this action won't exit with a failure if a vulnerability was found, but it can be configured this way.

ℹ Limitations of govulncheck ℹ

For a full list of currently known limitations please head over to here. Listed below are an important overview.

  • Govulncheck only reads binaries compiled with Go 1.18 and later.
  • Govulncheck only reports vulnerabilities that apply to the current Go build system and configuration (GOOS/GOARCH settings).
  • Official Package Documentation: Link
  • Introduction Blogpost: Link

Usage

Example Workflows
This configuration uses a different version of go (1.18) scans ./... and will fail if at least one vulnerability was found. Also it explicitly sets the github-token.
name: My Workflow
on: [push, pull_request]
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Running govulncheck
        uses: Templum/govulncheck-action@<version>
        with:
          go-version: 1.18
          vulncheck-version: latest
          package: ./...
          github-token: ${{ secrets.GITHUB_TOKEN }}
          fail-on-vuln: true
This configuration uses most of the default values, which are specified below. However it skips the upload to Github and instead uses the upload-artifact-action to upload the result directly as build artifact.
name: My Workflow
on: [push, pull_request]
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Running govulncheck
        uses: Templum/govulncheck-action@<version>
        with:
          skip-upload: true
      - name: Upload Sarif Report
        uses: actions/upload-artifact@v3
        with:
          name: sarif-report
          path: govulncheck-report.sarif
Inputs
Input Description
go-version (optional) Version of Go used for scanning the code, should equal your runtime version. Defaults to 1.19
vulncheck-version (optional) Version of govulncheck that should be used, by default latest
package (optional) The package you want to scan, by default will be ./...
github-token (optional) Github Token to upload sarif report. Needs write permissions for security_events
fail-on-vuln (optional) This allows you to specify if the action should fail on encountering any vulnerability, by default it will not
skip-upload (optional) This flag allows you to skip the sarif upload, it will be instead written to disk as govulncheck-report.sarif

âš  Please be aware that go-version should be a valid tag name for the golang dockerhub image.

🔒 Please be aware if the token is not specified it uses github.token for more details on that check those docs

Documentation ¶

The Go Gopher

There is no documentation for this package.

Directories ¶

Path Synopsis
pkg

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL