Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 5 additions & 15 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -79,28 +79,18 @@ jobs:
with:
go-version: ${{ env.GO_VERSION }}

- name: Run Static Analysis Security Scanner
run: |
echo "Installing reliable static analysis tools..."
go install honnef.co/go/tools/cmd/staticcheck@latest
go install golang.org/x/vuln/cmd/govulncheck@latest

echo "Running staticcheck for code quality analysis..."
staticcheck -f json ./... > staticcheck-results.json || true

echo "Running govulncheck for vulnerability scanning..."
govulncheck -json ./... > govulncheck-results.json || true

echo "Creating SARIF output for GitHub Security tab..."
echo '{"version":"2.1.0","runs":[{"tool":{"driver":{"name":"ci-static-analysis","version":"1.0.0"}},"results":[]}]}' > gosec.sarif
- name: Install gosec
run: go install github.com/securego/gosec/v2/cmd/gosec@latest

echo "Static analysis completed successfully"
- name: Run gosec security scanner
run: gosec -no-fail -fmt sarif -out gosec.sarif ./...

- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v4
if: always() && hashFiles('gosec.sarif') != ''
with:
sarif_file: gosec.sarif
category: gosec

# Build and test
test:
Expand Down
36 changes: 6 additions & 30 deletions .github/workflows/security.yml
Original file line number Diff line number Diff line change
Expand Up @@ -249,42 +249,18 @@ jobs:
git config --global url."https://github.com/".insteadOf "git@github.com:"
git config --global url."https://".insteadOf "git://"

- name: Install Static Analysis Tools
run: |
echo "Go version: $(go version)"
echo "GOPATH: $(go env GOPATH)"
echo "GOPROXY: $(go env GOPROXY)"

# Install reliable static analysis tools that work with Go 1.24
echo "Installing staticcheck..."
go install honnef.co/go/tools/cmd/staticcheck@latest

echo "Installing govulncheck..."
go install golang.org/x/vuln/cmd/govulncheck@latest

- name: Run Static Analysis
run: |
echo "Running static analysis tools..."

# Run staticcheck for code quality issues
echo "Running staticcheck..."
staticcheck -f json ./... > staticcheck-results.json || true

# Run govulncheck for vulnerability scanning
echo "Running govulncheck..."
govulncheck -json ./... > govulncheck-results.json || true

# Create a basic SARIF file from the results
echo "Creating SARIF output..."
echo '{"version":"2.1.0","runs":[{"tool":{"driver":{"name":"static-analysis-suite","version":"1.0.0","informationUri":"https://github.com/perun-engineering/deployment-annotator-for-grafana","rules":[]}},"results":[]}]}' > gosec-results.sarif
- name: Install gosec
run: go install github.com/securego/gosec/v2/cmd/gosec@latest

echo "Static analysis completed successfully"
- name: Run gosec
run: gosec -no-fail -fmt sarif -out gosec-results.sarif ./...

- name: Upload Static Analysis results
- name: Upload gosec results
uses: github/codeql-action/upload-sarif@v4
if: always() && hashFiles('gosec-results.sarif') != ''
with:
sarif_file: gosec-results.sarif
category: gosec

- name: Install Semgrep
run: python3 -m pip install semgrep
Expand Down
Loading