-
Notifications
You must be signed in to change notification settings - Fork 1
41 lines (33 loc) · 1.14 KB
/
vulnscans.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
name: Vulnerability Check
on:
schedule:
- cron: '0 06 * * 0' # 6am UTC on Sundays
workflow_dispatch:
jobs:
vulnerability-scans:
name: Run vulnerability scans
runs-on: ubuntu-latest
env:
RELEASE_GO_VER: "1.23"
steps:
- name: Check out code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: "Set up Go"
uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
with:
go-version: "${{ env.RELEASE_GO_VER }}"
check-latest: true
# intentionally not pinned to always run the latest scanner
- name: "Install govulncheck"
run: |
go install golang.org/x/vuln/cmd/govulncheck@latest
- name: "Run govulncheck"
run: |
govulncheck ./...
# intentionally not pinned to always run the latest scanner
- name: "Install OSV Scanner"
run: |
go install github.com/google/osv-scanner/cmd/osv-scanner@latest
- name: "Run OSV Scanner"
run: |
osv-scanner scan --config .osv-scanner.toml -r --experimental-licenses="Apache-2.0,BSD-2-Clause,BSD-3-Clause,ISC,MIT,CC-BY-SA-4.0,UNKNOWN" .