name: Security on: push: branches: [main, develop] pull_request: branches: [main, develop] schedule: - cron: '0 0 * * 0' # Weekly jobs: gosec: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Run Gosec uses: securego/gosec@master with: args: '-fmt sarif -out results.sarif ./...' - name: Upload SARIF uses: github/codeql-action/upload-sarif@v2 with: sarif_file: results.sarif govulncheck: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: actions/setup-go@v5 with: go-version: '1.24' - name: Install govulncheck run: go install golang.org/x/vuln/cmd/govulncheck@latest - name: Run govulncheck run: govulncheck ./... trivy: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Build image run: docker build -t cliproxy:test . - name: Run Trivy uses: aquasecurity/trivy-action@master with: image-ref: 'cliproxy:test' format: 'sarif' output: 'trivy-results.sarif' - name: Upload SARIF uses: github/codeql-action/upload-sarif@v2 with: sarif_file: trivy-results.sarif dependency-review: runs-on: ubuntu-latest if: github.event_name == 'pull_request' steps: - uses: actions/checkout@v4 - uses: actions/dependency-review-action@v3