Skip to content

Commit 490ed47

Browse files
authored
ci: run real gosec SARIF instead of hardcoded empty results (#112)
1 parent 8070fa7 commit 490ed47

2 files changed

Lines changed: 11 additions & 45 deletions

File tree

.github/workflows/ci.yml

Lines changed: 5 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -79,28 +79,18 @@ jobs:
7979
with:
8080
go-version: ${{ env.GO_VERSION }}
8181

82-
- name: Run Static Analysis Security Scanner
83-
run: |
84-
echo "Installing reliable static analysis tools..."
85-
go install honnef.co/go/tools/cmd/staticcheck@latest
86-
go install golang.org/x/vuln/cmd/govulncheck@latest
87-
88-
echo "Running staticcheck for code quality analysis..."
89-
staticcheck -f json ./... > staticcheck-results.json || true
90-
91-
echo "Running govulncheck for vulnerability scanning..."
92-
govulncheck -json ./... > govulncheck-results.json || true
93-
94-
echo "Creating SARIF output for GitHub Security tab..."
95-
echo '{"version":"2.1.0","runs":[{"tool":{"driver":{"name":"ci-static-analysis","version":"1.0.0"}},"results":[]}]}' > gosec.sarif
82+
- name: Install gosec
83+
run: go install github.com/securego/gosec/v2/cmd/gosec@latest
9684

97-
echo "Static analysis completed successfully"
85+
- name: Run gosec security scanner
86+
run: gosec -no-fail -fmt sarif -out gosec.sarif ./...
9887

9988
- name: Upload SARIF file
10089
uses: github/codeql-action/upload-sarif@v4
10190
if: always() && hashFiles('gosec.sarif') != ''
10291
with:
10392
sarif_file: gosec.sarif
93+
category: gosec
10494

10595
# Build and test
10696
test:

.github/workflows/security.yml

Lines changed: 6 additions & 30 deletions
Original file line numberDiff line numberDiff line change
@@ -249,42 +249,18 @@ jobs:
249249
git config --global url."https://github.com/".insteadOf "git@github.com:"
250250
git config --global url."https://".insteadOf "git://"
251251
252-
- name: Install Static Analysis Tools
253-
run: |
254-
echo "Go version: $(go version)"
255-
echo "GOPATH: $(go env GOPATH)"
256-
echo "GOPROXY: $(go env GOPROXY)"
257-
258-
# Install reliable static analysis tools that work with Go 1.24
259-
echo "Installing staticcheck..."
260-
go install honnef.co/go/tools/cmd/staticcheck@latest
261-
262-
echo "Installing govulncheck..."
263-
go install golang.org/x/vuln/cmd/govulncheck@latest
264-
265-
- name: Run Static Analysis
266-
run: |
267-
echo "Running static analysis tools..."
268-
269-
# Run staticcheck for code quality issues
270-
echo "Running staticcheck..."
271-
staticcheck -f json ./... > staticcheck-results.json || true
272-
273-
# Run govulncheck for vulnerability scanning
274-
echo "Running govulncheck..."
275-
govulncheck -json ./... > govulncheck-results.json || true
276-
277-
# Create a basic SARIF file from the results
278-
echo "Creating SARIF output..."
279-
echo '{"version":"2.1.0","runs":[{"tool":{"driver":{"name":"static-analysis-suite","version":"1.0.0","informationUri":"https://github.com/perun-engineering/deployment-annotator-for-grafana","rules":[]}},"results":[]}]}' > gosec-results.sarif
252+
- name: Install gosec
253+
run: go install github.com/securego/gosec/v2/cmd/gosec@latest
280254

281-
echo "Static analysis completed successfully"
255+
- name: Run gosec
256+
run: gosec -no-fail -fmt sarif -out gosec-results.sarif ./...
282257

283-
- name: Upload Static Analysis results
258+
- name: Upload gosec results
284259
uses: github/codeql-action/upload-sarif@v4
285260
if: always() && hashFiles('gosec-results.sarif') != ''
286261
with:
287262
sarif_file: gosec-results.sarif
263+
category: gosec
288264

289265
- name: Install Semgrep
290266
run: python3 -m pip install semgrep

0 commit comments

Comments
 (0)