This repository was archived by the owner on Apr 14, 2026. It is now read-only.
forked from oapi-codegen/oapi-codegen
-
Notifications
You must be signed in to change notification settings - Fork 2
39 lines (35 loc) · 1.47 KB
/
govulncheck.yml
File metadata and controls
39 lines (35 loc) · 1.47 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
name: Determine known CVEs through `govulncheck`
on:
push:
branches:
- main
schedule:
# Mondays at 0000
- cron: "0 0 * * 1"
permissions:
contents: read
jobs:
check-for-vulnerabilities:
name: Check for vulnerabilities using `govulncheck`
runs-on: ubuntu-latest
permissions:
security-events: write
contents: read
steps:
- uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee # v1.0.4
with:
# to be explicit, we're only checking the top-level `oapi-codegen` package
# we are intentionally NOT intending to keep on top of security updates in `internal/test` or `examples`, or any submodules thereof
go-package: ./...
# NOTE that we want to produce the SARIF-formatted report, which can then be consumed by other tools ...
output-format: sarif
output-file: govulncheck.sarif
# ... such as the Code Scanning tab (https://github.com/oapi-codegen/oapi-codegen/security/code-scanning?query=is%3Aopen+branch%3Amain+tool%3Agovulncheck)
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
with:
sarif_file: govulncheck.sarif
category: govulncheck
- name: Print code scanning results URL
run: |
echo "Results: https://github.com/${{ github.repository }}/security/code-scanning?query=is%3Aopen+branch%3Amain+tool%3Agovulncheck"