security-ci.yaml

name: Go Security CI
on:
  push:
    branches:
      - "master"
  pull_request:
    branches:
      - "*"
  workflow_dispatch:
    inputs:
      logLevel:
        description: "Log level"
        required: true
        default: "warning"

jobs:
  govulncheck:
    name: govulncheck
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: actions/setup-go@v3
        with:
          check-latest: "true"
          go-version: "1.22.x"
      - name: Install govulncheck
        run: go install golang.org/x/vuln/cmd/govulncheck@latest
      - name: Run vulnerability checks
        run: govulncheck ./...
  gosec:
    name: GoSec Security Scanner
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: actions/setup-go@v3
        with:
          check-latest: "true"
          go-version: "1.22.x"
      - name: install gosec
        run: curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s -- -b $(go env GOPATH)/bin
      - name: Run Gosec Security Scanner
        run: $(go env GOPATH)/bin/gosec -exclude=G115 -severity=high -confidence=medium ./...
  trivy:
    name: trivy
    runs-on: ubuntu-20.04
    steps:
      - name: Checkout code
        uses: actions/checkout@v3
      - name: Run Trivy vulnerability scanner in repo mode
        uses: aquasecurity/trivy-action@master
        with:
          exit-code: '1'
          scan-type: 'fs'
          scan-ref: './'
          severity: 'HIGH,CRITICAL'