Security #76
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # SPDX-FileCopyrightText: Copyright 2026 Stacklok, Inc. | |
| # SPDX-License-Identifier: Apache-2.0 | |
| name: Security | |
| on: | |
| workflow_call: | |
| schedule: | |
| # Run daily at 2 AM UTC | |
| - cron: '0 2 * * *' | |
| permissions: | |
| contents: read | |
| # TODO: Enable once repo is public for SARIF uploads | |
| # security-events: write | |
| jobs: | |
| govulncheck: | |
| name: Go Vulnerability Check | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Run govulncheck | |
| uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee # v1.0.4 | |
| with: | |
| go-version-input: 'stable' | |
| go-package: ./... | |
| repo-checkout: false | |
| grype: | |
| name: Grype Vulnerability Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Run Grype vulnerability scanner | |
| id: grype-scan | |
| uses: anchore/scan-action@e1165082ffb1fe366ebaf02d8526e7c4989ea9d2 # v7.4.0 | |
| with: | |
| path: "." | |
| output-format: "table" | |
| fail-build: true | |
| severity-cutoff: "high" | |
| only-fixed: true | |
| # TODO: Enable SARIF upload once repo is public | |
| # - name: Upload Grype scan results to GitHub Security tab | |
| # uses: github/codeql-action/upload-sarif@v3 | |
| # if: always() | |
| # with: | |
| # sarif_file: ${{ steps.grype-scan.outputs.sarif }} | |
| # category: "grype" |