Skip to content

feat: upgrade to Go 1.25.10 and add Trivy & Govulncheck security scans#111

Merged
dushimsam merged 1 commit into
mainfrom
feat/configure-security-scan
May 15, 2026
Merged

feat: upgrade to Go 1.25.10 and add Trivy & Govulncheck security scans#111
dushimsam merged 1 commit into
mainfrom
feat/configure-security-scan

Conversation

@dushimsam
Copy link
Copy Markdown
Collaborator

@dushimsam dushimsam commented May 15, 2026

github-advanced-security[bot]
github-advanced-security AI found potential problems May 15, 2026
View reviewed changes
Comment thread .github/workflows/pr.yml
Comment on lines +11 to +57
name: Security, Test, Lint & Build
runs-on: ubuntu-latest

steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: '1.25'
cache: true
- name: Run tests
run: make test

- name: Run golangci-lint
uses: golangci/golangci-lint-action@v8
with:
version: v2.4.0
working-directory: .

- name: Build for Linux AMD64
run: make GOOS=linux GOARCH=amd64 build

- name: Verify binary
run: |
ls -la build/
file build/sc-console-agent
./build/sc-console-agent -v
- name: Checkout code
uses: actions/checkout@v4

- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: '1.25.10'
cache: true

- name: Run Trivy Vulnerability Scanner (SCA)
uses: aquasecurity/trivy-action@0.35.0
with:
scan-type: 'fs'
scan-ref: '.'
format: 'table'
exit-code: '1'
ignore-unfixed: true
severity: 'CRITICAL,HIGH'
skip-dirs: '.envs'
skip-files: '.env'

- name: Run Govulncheck
uses: golang/govulncheck-action@v1.0.4
with:
go-version-input: '1.25.10'

# 📊 Tests
- name: Run Tests
run: make test

- name: Run golangci-lint
uses: golangci/golangci-lint-action@v9
with:
working-directory: .

- name: Build for Linux AMD64
run: make GOOS=linux GOARCH=amd64 build

- name: Verify binary file type & version
run: |
ls -la build/
file build/sc-console-agent
./build/sc-console-agent -v
@greptile-apps
Copy link
Copy Markdown

greptile-apps Bot commented May 15, 2026
edited
Loading

Greptile Summary

This PR upgrades the project to Go 1.25.10 and bolts two new security scanning gates onto the PR validation workflow: a Trivy filesystem SCA scan (blocking on CRITICAL/HIGH unfixed CVEs) and a govulncheck step that traces known vulnerabilities through the actual call graph.

  • Go upgrade: go-version in CI, GO_VERSION in the Makefile, and a new toolchain go1.25.10 directive in go.mod are all updated consistently; the go 1.25 minimum-version line is kept, which is correct Go module semantics.
  • CI hardening: permissions: contents: read and explicit types triggers are added to the workflow, and a companion scripts/security-scan.sh provides the same two scans for local developer use with graceful tool-not-found messaging.

Confidence Score: 5/5

Safe to merge — changes are additive CI/security tooling with no modifications to application logic.

The Go version bump, toolchain directive, and new scanning steps are all consistent with each other and with the rest of the repo. The security-scan.sh script is a local utility that accumulates exit codes correctly. No application code is touched.

No files require special attention.

Important Files Changed

Filename Overview
.github/workflows/pr.yml Adds Trivy SCA and Govulncheck steps, pins Go to 1.25.10, tightens PR event triggers, and adds contents: read least-privilege permissions.
Makefile Bumps GO_VERSION from 1.24.3 to 1.25.10 and adds a security-scan target that delegates to the new shell script.
go.mod Adds toolchain go1.25.10 directive alongside the existing go 1.25 minimum version line; correct Go 1.21+ semantics.
scripts/security-scan.sh New local dev script that discovers Trivy and govulncheck, runs both scans, and aggregates exit codes so all failures are reported before exiting.
Prompt To Fix All With AI 
Fix the following 1 code review issue. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 1
.github/workflows/pr.yml:26-27
The two new security-scanning actions are pinned to mutable version tags (`0.35.0` and `v1.0.4`). Tags can be force-pushed, so a compromised upstream repo could silently replace the tag's target commit and inject malicious code into the workflow without any diff being visible here. Pinning to the immutable SHA digest prevents this. The existing actions in this file follow the same mutable-tag pattern, so updating all of them at once would be the cleanest fix.

```suggestion
      - name: Run Trivy Vulnerability Scanner (SCA)
        uses: aquasecurity/trivy-action@915ce7f4e1d4e55b17e29e75c47b37d9ff2be2ae  # v0.35.0
```

Reviews (2): Last reviewed commit: "feat: upgrade to Go 1.25.10 and integrat..." | Re-trigger Greptile

greptile-apps[bot]
greptile-apps Bot reviewed May 15, 2026
View reviewed changes
Comment thread .github/workflows/pr.yml
Comment thread .github/workflows/pr.yml Outdated
@dushimsam dushimsam force-pushed the feat/configure-security-scan branch from c017c63 to 0ce6bf3 Compare May 15, 2026 07:44
@dushimsam
Copy link
Copy Markdown
Collaborator Author

dushimsam commented May 15, 2026

@greptile

@dushimsam dushimsam force-pushed the feat/configure-security-scan branch from 0ce6bf3 to 5819de5 Compare May 15, 2026 07:50
@dushimsam dushimsam merged commit d8a4a24 into main May 15, 2026
2 of 4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

+1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dushimsam @github-advanced-security