| name: Security |
|
|
| on: |
| push: |
| branches: [main, develop] |
| pull_request: |
| branches: [main, develop] |
| schedule: |
| - cron: '0 0 * * 0' |
|
|
| jobs: |
| gosec: |
| runs-on: ubuntu-latest |
| steps: |
| - uses: actions/checkout@v4 |
|
|
| - name: Run Gosec |
| uses: securego/gosec@master |
| with: |
| args: '-fmt sarif -out results.sarif ./...' |
|
|
| - name: Upload SARIF |
| uses: github/codeql-action/upload-sarif@v2 |
| with: |
| sarif_file: results.sarif |
|
|
| govulncheck: |
| runs-on: ubuntu-latest |
| steps: |
| - uses: actions/checkout@v4 |
|
|
| - uses: actions/setup-go@v5 |
| with: |
| go-version: '1.24' |
|
|
| - name: Install govulncheck |
| run: go install golang.org/x/vuln/cmd/govulncheck@latest |
|
|
| - name: Run govulncheck |
| run: govulncheck ./... |
|
|
| trivy: |
| runs-on: ubuntu-latest |
| steps: |
| - uses: actions/checkout@v4 |
|
|
| - name: Build image |
| run: docker build -t cliproxy:test . |
|
|
| - name: Run Trivy |
| uses: aquasecurity/trivy-action@master |
| with: |
| image-ref: 'cliproxy:test' |
| format: 'sarif' |
| output: 'trivy-results.sarif' |
|
|
| - name: Upload SARIF |
| uses: github/codeql-action/upload-sarif@v2 |
| with: |
| sarif_file: trivy-results.sarif |
|
|
| dependency-review: |
| runs-on: ubuntu-latest |
| if: github.event_name == 'pull_request' |
| steps: |
| - uses: actions/checkout@v4 |
| - uses: actions/dependency-review-action@v3 |
|
|