Skip to content
Security

chore: Configure Renovate #364

Sign in to view logs

chore: Configure Renovate

chore: Configure Renovate #364

Workflow file for this run

.github/workflows/security.yml at 9ba3e24
name: Security
on:
push:
branches:
- main
pull_request:
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
permissions:
# Required to stop running workflows
actions: write
jobs:
vulns:
name: Nancy scanner
continue-on-error: true
runs-on: ubuntu-latest
steps:
-
name: Cancel previous workflows
uses: styfle/[email protected]
with:
access_token: ${{ secrets.GITHUB_TOKEN }}
-
uses: actions/checkout@v3
-
uses: actions/setup-go@v3
with:
go-version: 1.19
-
name: Run go list
run: go list -json -m all > go.list
-
name: Nancy
uses: sonatype-nexus-community/[email protected]
trivy:
name: Trivy scanner
continue-on-error: true
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
pull-requests: read
steps:
-
name: Cancel previous workflows
uses: styfle/[email protected]
with:
access_token: ${{ secrets.GITHUB_TOKEN }}
-
uses: actions/checkout@v3
-
name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
ignore-unfixed: true
format: 'template'
template: '@/contrib/sarif.tpl'
output: 'trivy-results.sarif'
severity: 'CRITICAL'
-
name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
# snyk:
# name: Snyk scanner
# continue-on-error: true
# if: (github.action != 'dependabot[bot]')
# runs-on: ubuntu-latest
# permissions:
# contents: read
# security-events: write
# pull-requests: read
# actions: write
#
# steps:
# -
# name: Cancel previous workflows
# uses: styfle/[email protected]
# with:
# access_token: ${{ secrets.GITHUB_TOKEN }}
# -
# uses: actions/checkout@v3
# -
# name: Run Snyk to check for vulnerabilities
# uses: snyk/actions/golang@master
# continue-on-error: true # To make sure that SARIF upload gets called
# env:
# SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# with:
# args: --sarif-file-output=snyk-results.sarif
# -
# name: Upload result to GitHub Code Scanning
# uses: github/codeql-action/upload-sarif@v2
# with:
# sarif_file: snyk-results.sarif
semgrep:
name: Static analysis (semgrep)
continue-on-error: true
runs-on: ubuntu-latest
if: (github.action != 'dependabot[bot]')
permissions:
contents: read
security-events: write
pull-requests: read
steps:
-
name: Cancel previous workflows
uses: styfle/[email protected]
with:
access_token: ${{ secrets.GITHUB_TOKEN }}
-
uses: actions/checkout@v3
-
uses: returntocorp/semgrep-action@v1
with:
generateSarif: "1"
config: >-
p/security-audit
p/secrets
p/supply-chain
p/docker
p/golang
p/trailofbits
-
name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: semgrep.sarif