Go Vulnerability Scan #5
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Go Vulnerability Scan | |
| on: | |
| schedule: | |
| - cron: '30 8 * * 2' # Weekly on Tuesdays at 8:30 AM UTC | |
| workflow_dispatch: | |
| jobs: | |
| vulncheck: | |
| name: Go Vulnerability Scan | |
| runs-on: ubuntu-24.04 | |
| timeout-minutes: 10 | |
| steps: | |
| - name: Check out source code | |
| uses: actions/checkout@v4 | |
| - name: Setup Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: go.mod | |
| - name: Get official govulncheck | |
| run: go install golang.org/x/vuln/cmd/govulncheck@v1.1.4 | |
| shell: bash | |
| - name: Run govulncheck | |
| run: govulncheck -format json ./... | tee govulncheck-results.json | |
| shell: bash | |
| - name: Parse govulncheck results | |
| run: | | |
| echo "recommendations=$(jq -s '[.[] | select(.finding != null) | .finding] | unique_by(.osv) | map("\(.osv)\n\(.trace[0].module)@\(.trace[0].version) => \(.fixed_version)") | join("\n")' govulncheck-results.json | tr -d '\"')" >> $GITHUB_OUTPUT | |
| shell: bash | |
| id: recommendations | |
| - name: Post no recommendations message | |
| id: slack-no-recommendations | |
| uses: slackapi/slack-github-action@v2 | |
| if: steps.recommendations.outputs.recommendations == '' | |
| with: | |
| method: chat.postMessage | |
| token: ${{ secrets.ORG_GOVULNCHECK_SLACK_BOT_TOKEN }} | |
| payload: | | |
| channel: C08DCHLNKDX # bp-vulnerability-checks | |
| text: "🔍 Govulncheck: ${{ github.repository }}" | |
| attachments: | |
| - color: "#00ff38" | |
| blocks: | |
| - type: section | |
| text: | |
| type: mrkdwn | |
| text: "✅ No vulnerabilities found" | |
| - name: Post findings to Slack | |
| id: slack | |
| uses: slackapi/slack-github-action@v2 | |
| if: steps.recommendations.outputs.recommendations != '' | |
| with: | |
| method: chat.postMessage | |
| token: ${{ secrets.ORG_GOVULNCHECK_SLACK_BOT_TOKEN }} | |
| payload: | | |
| channel: C08DCHLNKDX # bp-vulnerability-checks | |
| text: "🔍 Govulncheck: ${{ github.repository }}" | |
| attachments: | |
| - color: "#ff0000" | |
| blocks: | |
| - type: section | |
| text: | |
| type: mrkdwn | |
| text: "Scan found vulnerabilities for repository: ${{ github.repository }}" | |
| - type: divider | |
| - type: section | |
| text: | |
| type: mrkdwn | |
| text: "Recommendations found:\n${{ steps.recommendations.outputs.recommendations }}" | |
| - type: divider | |
| - type: section | |
| text: | |
| type: mrkdwn | |
| text: "<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|View Result>" | |
| - name: Exit | |
| if: steps.recommendations.outputs.recommendations != '' | |
| run: | | |
| exit 1 |