Skip to content

ci(security): add govulncheck (blocking) and gosec (informational) scanners#514

Merged
ericfitz merged 5 commits into
mainfrom
feature/ci-security-scanners
Jul 1, 2026
Merged

ci(security): add govulncheck (blocking) and gosec (informational) scanners#514
ericfitz merged 5 commits into
mainfrom
feature/ci-security-scanners

Conversation

@ericfitz

@ericfitz ericfitz commented Jul 1, 2026

Copy link
Copy Markdown
Owner

Summary

Adds two security-scanner jobs to .github/workflows/security.yml, alongside the existing CodeQL workflow and the gosec already embedded in golangci-lint:

  • govulncheck (blocking)govulncheck ./..., pinned @v1.1.4. Fails the build on any called known vulnerability. Pre-flight confirmed the module is currently clean, so enabling this as a gate is safe today.
  • gosec (informational)gosec -no-fail -exclude-generated -exclude-dir=.tmi-clients -fmt sarif ..., pinned @v2.22.5. Never blocks the build; uploads SARIF to the Security → Code scanning tab (category: gosec).

Both reuse the existing checkout + setup-go + tmi-clients replace-shim pattern. CodeQL and the linter-embedded gosec are intentionally left as-is (broader scope + Security-tab visibility is the point).

Design & plan

  • Spec: docs/superpowers/specs/2026-07-01-ci-security-scanners-design.md
  • Plan: docs/superpowers/plans/2026-07-01-ci-security-scanners.md

Review note

Whole-branch review caught one real issue, now fixed: the "informational" gosec SARIF upload would turn red on Dependabot/fork PRs (read-only GITHUB_TOKEN can't satisfy security-events: write, so upload-sarif 403s). Resolved by marking the upload step continue-on-error: true — it still posts to the Security tab on normal branch/main runs but never blocks.

Follow-ups (post-merge)

  1. Mark Vulnerability Scan (govulncheck) a required status check in main branch protection so it blocks merges. (Do NOT add gosec — informational by design.)
  2. Consider SHA-pinning the third-party actions uniformly across security.yml (current repo convention is major-tag pinning).
  3. Consider adding govulncheck/gosec to Dependabot so their pinned versions auto-bump.

🤖 Generated with Claude Code

ericfitz and others added 5 commits July 1, 2026 12:34
…ev target

Three independent developer-tooling designs from a brainstorming session:
- pre-commit hook (gofmt + go vet + golangci-lint --fast-only, blocking)
- CI security scanners (govulncheck blocking + standalone gosec informational)
- k3s dev deployment target (CLUSTER=k3s, self-contained remote cluster)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Kk9GxWS9EpazjbwBKfMpUX
…s, k3s dev target

One plan per spec:
- pre-commit hook (2 tasks)
- CI security scanners (4 tasks)
- k3s dev target (6 tasks + pre-flight); flags migration-Job -> startup-AutoMigrate deviation

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Kk9GxWS9EpazjbwBKfMpUX
@github-advanced-security

Copy link
Copy Markdown
Contributor

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@ericfitz ericfitz merged commit d23ea95 into main Jul 1, 2026
12 checks passed
@ericfitz ericfitz deleted the feature/ci-security-scanners branch July 1, 2026 20:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants