Skip to content

GHO-11179, GHO-11180: Offline mode, custom config, license check support, cosign signing#3

Merged
matslofva merged 3 commits intomainfrom
GHO-11179-11180
Feb 9, 2026
Merged

GHO-11179, GHO-11180: Offline mode, custom config, license check support, cosign signing#3
matslofva merged 3 commits intomainfrom
GHO-11179-11180

Conversation

@matslofva
Copy link
Collaborator

@matslofva matslofva commented Feb 9, 2026

📑 Description (what does this PR add, change, remove)

Cosign signing added to release workflow.

Address some TODOs:

Offline use:

% date && dist/wraith_darwin_arm64_v8.0/wraith download-db
Mon Feb  9 15:56:17 CET 2026
Downloading vulnerability database for offline scanning...
Database downloaded successfully. You can now use --offline for scans.
% ls -la ~/Library/Caches/osv-scanner/Go/all.zip
-rw-r--r--@ 1 davidmatslofva  staff  6134391 Feb  9 15:56 /Users/davidmatslofva/Library/Caches/osv-scanner/Go/all.zip

% dist/wraith_darwin_arm64_v8.0/wraith scan --offline go.mod

──────────────────────────────────────────────────
 SCAN SUMMARY
──────────────────────────────────────────────────

Packages scanned: 1
Vulnerabilities:  1
Affected packages: 1

● stdlib 1.25.6 (Go)
  └─ GO-2026-4337
     Unexpected session resumption in crypto/tls
     CVEs: CVE-2025-68121

! Review and address the issues above.

Custom config:

% cat osv-scanner.toml
# OSV-Scanner configuration file
# See: https://google.github.io/osv-scanner/configuration/

[[IgnoredVulns]]
id = "GO-2026-4337"
reason = "Testing config file - ignoring for demo purposes"

% dist/wraith_darwin_arm64_v8.0/wraith scan --offline go.mod

──────────────────────────────────────────────────
 SCAN SUMMARY
──────────────────────────────────────────────────

Packages scanned: 0
Vulnerabilities:  0

✓ No issues found!

License checks:

% dist/wraith_darwin_arm64_v8.0/wraith scan --licenses --license-allowlist MIT,Apache-2.0,BSD-3-Clause,UNKNOWN go.mod

──────────────────────────────────────────────────
 SCAN SUMMARY
──────────────────────────────────────────────────

Packages scanned: 0

 License Summary
  UNKNOWN: 1

Vulnerabilities:  0
License violations: 0

✓ No issues found!

^ exit code 0

% dist/wraith_darwin_arm64_v8.0/wraith scan --licenses --license-allowlist MIT,Apache-2.0,BSD-3-Clause go.mod

──────────────────────────────────────────────────
 SCAN SUMMARY
──────────────────────────────────────────────────

Packages scanned: 1

 License Summary
  UNKNOWN: 1

Vulnerabilities:  0
License violations: 1

 LICENSE VIOLATIONS

● stdlib 1.25.6
  License: UNKNOWN
  Violation: UNKNOWN

! Review and address the issues above.

^ exit code 1

✅ Checks

  • My pull request adheres to the code style of this project
  • My code required changes to the documentation; I've included those changes
  • I've added tests to support this change (where applicable)

@matslofva matslofva merged commit df3db73 into main Feb 9, 2026
2 checks passed
@matslofva matslofva deleted the GHO-11179-11180 branch February 9, 2026 15:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@joshlarsen joshlarsen joshlarsen approved these changes

@bgeesaman bgeesaman Awaiting requested review from bgeesaman

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@matslofva @joshlarsen