Merge pull request #98 from AlphaOne1/dependabot/github_actions/aquasecurity/trivy-action-0.34.2

Bump aquasecurity/trivy-action from 0.34.1 to 0.34.2

Author: AlphaOne1

.github/workflows/security.yml

@@ -11,13 +11,41 @@ on:
         branches:
           - master
 
-# Declare default permissions as read only.
+# Declare default permissions as read-only.
 permissions: read-all
 
 jobs:
+    GolangCI:
+        runs-on: ubuntu-latest
+        permissions:
+            contents: read
+            security-events: write
+        steps:
+          - name: Harden Runner
+            uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
+            with:
+                egress-policy: audit
+
+          - name: Checkout
+            uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+            with:
+                fetch-depth: 1
+
+          - name: Run golangci-lint
+            uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
+            with:
+                version: latest
+                args: --timeout=5m --output.sarif.path=golangci-lint-results.sarif --output.text.path=stdout
+
+          - name: Upload golangci-lint results to GitHub Security tab
+            uses: github/codeql-action/upload-sarif@c793b717bc78562f491db7b0e93a3a178b099162 # v4.32.5
+            with:
+                sarif_file: golangci-lint-results.sarif
+
     TrivyCode:
         runs-on: ubuntu-latest
         permissions:
+            contents: read
             security-events: write
         steps:
           - name: Harden Runner
@@ -28,14 +56,14 @@ jobs:
           - name: Checkout code
             uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-          - name: Run Trivy vulnerability scanner in repo mode
-            uses: aquasecurity/trivy-action@e368e328979b113139d6f9068e03accaed98a518 # 0.34.1
+          - name: Run Trivy vulnerability scanner in fs mode
+            uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478 # 0.34.2
             with:
                 scan-type: 'fs'
                 ignore-unfixed: true
                 format: 'sarif'
                 output: 'trivy-results.sarif'
-                severity: 'CRITICAL'
+                severity: 'CRITICAL,HIGH'
 
           - name: Upload Trivy scan results to GitHub Security tab
             uses: github/codeql-action/upload-sarif@c793b717bc78562f491db7b0e93a3a178b099162 # v4.32.5
@@ -45,38 +73,33 @@ jobs:
     VulnerabilityCheck:
         runs-on: ubuntu-latest
         permissions:
+            contents: read
             security-events: write
         steps:
           - name: Harden Runner
             uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
             with:
                 egress-policy: audit
 
-          - name: Checkout
-            uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-            with:
-                fetch-depth: 1
-
-          - name: VulnerabilityCheck
+          - name: Vulnerability Check
             uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee # v1.0.4
             with:
-                repo-checkout: false
                 output-format: sarif
                 output-file: govulncheck-results.sarif
 
-          - name: PrintSarif
+          - name: Print Sarif
+            id: printSarif
             run:  |
                 cat govulncheck-results.sarif
-
-                if grep "'results'" govulncheck-results.serif
+                if grep results govulncheck-results.sarif
                 then
                     echo "hasResults=true" >> $GITHUB_OUTPUT
                 else
                     echo "hasResults=false" >> $GITHUB_OUTPUT
                 fi
 
-          - name: Upload govulncheck results to GitHub Security tab
-            if: ${{ steps.PrintSarif.outputs.hasResults == 'true' }}
+          - name: Upload govulncheck results to Security tab
+            if: ${{ steps.printSarif.outputs.hasResults == 'true' }}
             uses: github/codeql-action/upload-sarif@c793b717bc78562f491db7b0e93a3a178b099162 # v4.32.5
             with:
                 sarif_file: govulncheck-results.sarif

geany.go

@@ -82,7 +82,7 @@ func PrintSimpleWriter(writer io.Writer, values any) error {
 
 	// normally we have the program's name given as the first argument
 	if len(os.Args) > 0 && os.Args[0] != "" {
-		if _, err := fmt.Fprintf(writer, "%s\n", os.Args[0]); err != nil {
+		if _, err := fmt.Fprintf(writer, "%s\n", os.Args[0]); err != nil { //nolint:gosec // nothing wrong here
 			return fmt.Errorf("could not write program name: %w", err)
 		}
 	}

geany_test.go

@@ -21,7 +21,7 @@ func TestPrintLogo(t *testing.T) {
 
 	require.NoError(t, fErr)
 
-	defer func() { assert.NoError(t, os.Remove(tempFile.Name())) }()
+	defer func() { assert.NoError(t, os.Remove(tempFile.Name())) }() //nolint:gosec
 
 	save := os.Stdout
 	os.Stdout = tempFile
@@ -38,7 +38,7 @@ func TestPrintLogo(t *testing.T) {
 
 	assert.True(t, ok, "build info not found in debug.ReadBuildInfo")
 
-	target, targetErr := os.ReadFile(tempFile.Name())
+	target, targetErr := os.ReadFile(tempFile.Name()) //nolint:gosec
 	require.NoError(t, targetErr)
 
 	assert.Equal(t, string(target), "Logo "+buildInfo.GoVersion+"\n", "Logo does not contain go version")
@@ -50,7 +50,7 @@ func TestPrintSimple(t *testing.T) {
 
 	require.NoError(t, fErr)
 
-	defer func() { assert.NoError(t, os.Remove(tempFile.Name())) }()
+	defer func() { assert.NoError(t, os.Remove(tempFile.Name())) }() //nolint:gosec
 
 	save := os.Stdout
 	os.Stdout = tempFile
@@ -64,7 +64,7 @@ func TestPrintSimple(t *testing.T) {
 
 	assert.True(t, ok, "build info not found in debug.ReadBuildInfo")
 
-	target, targetErr := os.ReadFile(tempFile.Name())
+	target, targetErr := os.ReadFile(tempFile.Name()) //nolint:gosec
 	require.NoError(t, targetErr)
 
 	assert.Contains(t, string(target), `"GoVersion": "`+buildInfo.GoVersion+`"`)