This action uses govulncheck to perform a scan of the code, afterwards it will parse the output and transform it into an Sarif Report, which will be uploaded to Github using the code-scanning API. Please note this requires write-permission for security_events. The result should then be visible within the security-tab. By default this action won't exit with a failure if a vulnerability was found, but it can be configured this way.
For a full list of currently known limitations please head over to here. Listed below are an important overview.
- Govulncheck only reads binaries compiled with Go 1.18 and later.
- Govulncheck only reports vulnerabilities that apply to the current Go build system and configuration (GOOS/GOARCH settings).
name: My Workflow
on: [push, pull_request]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Running govulncheck
uses: Templum/govulncheck-action@<version>
with:
go-version: 1.18
vulncheck-version: latest
package: ./...
github-token: ${{ secrets.GITHUB_TOKEN }}
fail-on-vuln: true| Input | Description |
|---|---|
go-version (optional) |
Version of Go used for scanning the code, should equal your runtime version. Defaults to 1.19 |
vulncheck-version (optional) |
Version of govulncheck that should be used, by default latest |
package (optional) |
The package you want to scan, by default will be ./... |
github-token (optional) |
Github Token to upload sarif report. Needs write permissions for security_events |
fail-on-vuln (optional) |
This allows you to specify if the action should fail on encountering any vulnerability, by default it will not |
⚠️ Please be aware that go-version should be a valid tag name for the golang dockerhub image.
🔒 Please be aware if the token is not specified it uses
github.tokenfor more details on that check those docs