-
Notifications
You must be signed in to change notification settings - Fork 81
44 lines (35 loc) · 1.15 KB
/
vulnscans.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
name: Vulnerability Scans
on:
schedule:
- cron: '0 06 * * 0' # 6am UTC on Sundays
workflow_dispatch:
permissions:
contents: read
jobs:
vulnerability-scans:
name: Run vulnerability scans
runs-on: ubuntu-latest
env:
RELEASE_GO_VER: "1.22"
steps:
- name: Check out code
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
- name: "Set up Go"
uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
with:
go-version: "${{ env.RELEASE_GO_VER }}"
check-latest: true
# intentionally not pinned to always run the latest scanner
- name: "Install govulncheck"
run: |
go install golang.org/x/vuln/cmd/govulncheck@latest
- name: "Run govulncheck"
run: |
govulncheck ./...
# intentionally not pinned to always run the latest scanner
- name: "Install OSV Scanner"
run: |
go install github.com/google/osv-scanner/cmd/osv-scanner@latest
- name: "Run OSV Scanner"
run: |
osv-scanner scan --config .osv-scanner.toml -r --experimental-licenses="Apache-2.0,BSD-3-Clause,MIT,CC-BY-SA-4.0,UNKNOWN" .