You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
ci: wire govulncheck job to the action (missed in prior commit)
The previous commit deleted the wrapper files but a failed `git add`
pathspec dropped the security.yml/CODEOWNERS/docs edits, leaving the
job pointing at the now-deleted wrapper. This commits the actual
govulncheck-action + SARIF-upload job body and the doc/CODEOWNERS
updates.
Copy file name to clipboardExpand all lines: SECURITY-SCANNING.md
+24-25Lines changed: 24 additions & 25 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -32,7 +32,7 @@ all three `security-gate` jobs report success (or skipped).
32
32
33
33
| Workflow file | Tool | What it scans | Runs on |
34
34
|---|---|---|---|
35
-
|`.github/workflows/security.yml`|**govulncheck**| Known Go CVEs in all modules (`.`, `api`, `agent`, `ssh`, `cli`, `gateway`, `openapi`, `tests`) | PR + push to master + weekly |
35
+
|`.github/workflows/security.yml`|**govulncheck**| Known Go CVEs in all modules (`.`, `api`, `agent`, `ssh`, `cli`, `gateway`, `openapi`, `tests`); SARIF uploaded to GitHub Security tab| PR + push to master + weekly |
36
36
|`.github/workflows/security.yml`|**Trivy (image)**| OS/library CVEs in service images (`api`, `ssh`, `gateway`, `cli`, `ui`, `agent`) | PR + push to master + weekly |
37
37
|`.github/workflows/semgrep.yml`|**Semgrep**| Static analysis via `p/golang`, `p/dockerfile`, `p/ci`; PR mode uses `--baseline-ref` so only _new_ findings block | PR + push to master + weekly |
38
38
|`.github/workflows/codeql.yml`|**CodeQL**| Semantic Go analysis across all modules; SARIF uploaded to GitHub Security tab | PR + push to master + weekly |
@@ -45,7 +45,7 @@ those lack the necessary `security-events: write` permission).
45
45
46
46
## Baseline suppression files
47
47
48
-
Three baseline files gate new suppressions behind a team-lead code-owner review
48
+
Two baseline files gate new suppressions behind a team-lead code-owner review
49
49
(see `.github/CODEOWNERS`).
50
50
51
51
### `.trivyignore` — Trivy CVE suppression
@@ -64,22 +64,6 @@ Three baseline files gate new suppressions behind a team-lead code-owner review
64
64
`@shellhub-io/team-lead` for mandatory review.
65
65
4. Schedule a quarterly review to remove the entry once the vulnerability is patched.
0 commit comments