Skip to content

chore: add govulncheck and gosec CI security scanning (S5) #58

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
beonde merged 2 commits into from
Mar 29, 2026
Merged

chore: add govulncheck and gosec CI security scanning (S5) #58

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
78d14ad
chore: add govulncheck and gosec CI security scanning (S5)
beonde Mar 29, 2026
5136753
fix(ci): make govulncheck non-blocking for pre-existing findings
beonde Mar 29, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 28 additions & 0 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -91,3 +91,31 @@ jobs:
name: capiscio-core
env:
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}

security:
name: Security Scanning
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4

- uses: actions/setup-go@v5
with:
go-version-file: 'go.mod'

Comment on lines +101 to +104
Copy link

Copilot AI Mar 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This job uses go-version-file: go.mod while other jobs in this workflow hard-code Go versions. To avoid accidental version skew across jobs, consider standardizing on a single approach (e.g., use go-version-file everywhere or pin the exact same go-version).

Copilot uses AI. Check for mistakes.
- name: Run govulncheck
continue-on-error: true
run: |
go install golang.org/x/vuln/cmd/govulncheck@latest
Copy link

Copilot AI Mar 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

go install ...@latest makes the CI result non-reproducible and increases supply-chain risk (the tool version can change between runs). Pin govulncheck to a specific release version (or a commit SHA) so findings are stable and auditable.

Suggested change
go install golang.org/x/vuln/cmd/govulncheck@latest
go install golang.org/x/vuln/cmd/govulncheck@v1.1.3

Copilot uses AI. Check for mistakes.
govulncheck ./...

- name: Run gosec (SAST)
uses: securego/gosec@master
Copy link

Copilot AI Mar 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using securego/gosec@master is unsafe and non-deterministic because the workflow will execute whatever is on master at run time. Pin the action to a tagged release or a commit SHA to prevent unexpected changes or supply-chain compromise.

Suggested change
uses: securego/gosec@master
uses: securego/gosec@v2.22.0

Copilot uses AI. Check for mistakes.
with:
args: '-no-fail -fmt json -out gosec-results.json ./...'
Comment on lines +105 to +114
Copy link

Copilot AI Mar 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The repo’s build/test jobs run with -tags opa_no_wasm, but this security job runs govulncheck/gosec with default build tags. That means tagged code (e.g., //go:build opa_no_wasm files) won’t be analyzed. Consider setting GOFLAGS=-tags=opa_no_wasm (or equivalent tool flags) for both scanners to match the code paths actually built and tested in CI.

Copilot uses AI. Check for mistakes.

- name: Upload gosec results
uses: actions/upload-artifact@v4
if: always()
with:
name: gosec-results
path: gosec-results.json
Loading