Skip to content

Commit e433a68

Browse files
ci: Tier 1 OSS security scanners (CodeQL + Dependabot + govulncheck + OSV-Scanner) (#5)
* ci: Tier 1 OSS security scanners CodeQL (security-extended) + Dependabot (gomod + actions) + govulncheck + OSV-Scanner. 100% free for public repos. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * ci: scanner workflows clone needed sibling repos The Tier 1 CodeQL + govulncheck workflows failed on PR #5 because cli uses replace directives for sibling repos that weren't cloned. Fix: each workflow now checks out cli into ./cli, plus clones the public sibling repos cli actually depends on (per its go.mod). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * chore(go): bump toolchain to 1.25.10 — fixes reachable stdlib CVEs govulncheck on PR #5 flagged Go-stdlib vulnerabilities reachable from cli code paths. All fixed in Go 1.25.9–1.25.10. Also merges any in-flight master commits onto the scanner-install branch. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
1 parent f44d896 commit e433a68

5 files changed

Lines changed: 123 additions & 1 deletion

File tree

.github/dependabot.yml

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,31 @@
1+
version: 2
2+
updates:
3+
- package-ecosystem: gomod
4+
directory: "/"
5+
schedule:
6+
interval: weekly
7+
day: monday
8+
time: "06:00"
9+
timezone: Etc/UTC
10+
open-pull-requests-limit: 5
11+
groups:
12+
gomod-security:
13+
applies-to: security-updates
14+
patterns:
15+
- "*"
16+
gomod-minor-patch:
17+
applies-to: version-updates
18+
update-types:
19+
- minor
20+
- patch
21+
22+
- package-ecosystem: github-actions
23+
directory: "/"
24+
schedule:
25+
interval: weekly
26+
day: monday
27+
open-pull-requests-limit: 3
28+
groups:
29+
actions:
30+
patterns:
31+
- "*"

.github/workflows/codeql.yml

Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,38 @@
1+
name: CodeQL
2+
3+
on:
4+
push:
5+
branches: [master, main]
6+
pull_request:
7+
branches: [master, main]
8+
schedule:
9+
- cron: '17 6 * * 1'
10+
11+
permissions:
12+
actions: read
13+
contents: read
14+
security-events: write
15+
16+
jobs:
17+
analyze:
18+
name: Analyze (Go)
19+
runs-on: ubuntu-latest
20+
timeout-minutes: 30
21+
steps:
22+
- name: Checkout this repo
23+
uses: actions/checkout@v4
24+
with:
25+
path: cli
26+
- uses: actions/setup-go@v5
27+
with:
28+
go-version-file: cli/go.mod
29+
- uses: github/codeql-action/init@v3
30+
with:
31+
languages: go
32+
queries: security-extended
33+
- name: Build
34+
working-directory: cli
35+
run: go build ./...
36+
- uses: github/codeql-action/analyze@v3
37+
with:
38+
category: "/language:go"

.github/workflows/govulncheck.yml

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
1+
name: govulncheck
2+
3+
on:
4+
push:
5+
branches: [master, main]
6+
pull_request:
7+
branches: [master, main]
8+
schedule:
9+
- cron: '0 6 * * *'
10+
11+
permissions:
12+
contents: read
13+
14+
jobs:
15+
govulncheck:
16+
runs-on: ubuntu-latest
17+
timeout-minutes: 15
18+
steps:
19+
- name: Checkout this repo
20+
uses: actions/checkout@v4
21+
with:
22+
path: cli
23+
- uses: actions/setup-go@v5
24+
with:
25+
go-version-file: cli/go.mod
26+
check-latest: true
27+
- run: go install golang.org/x/vuln/cmd/govulncheck@latest
28+
- working-directory: cli
29+
run: govulncheck ./...

.github/workflows/osv-scanner.yml

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
name: OSV-Scanner
2+
3+
on:
4+
push:
5+
branches: [master, main]
6+
pull_request:
7+
branches: [master, main]
8+
schedule:
9+
- cron: '0 6 * * *'
10+
11+
permissions:
12+
actions: read
13+
contents: read
14+
security-events: write
15+
16+
jobs:
17+
scan:
18+
uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v2.0.1
19+
permissions:
20+
actions: read
21+
contents: read
22+
security-events: write

go.mod

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,8 @@
11
module github.com/InstaNode-dev/cli
22

3-
go 1.23
3+
go 1.25
4+
5+
toolchain go1.25.10
46

57
require (
68
github.com/spf13/cobra v1.10.2

0 commit comments

Comments
 (0)