Golang Vulncheck
ActionsTags
(2)
This action uses govulncheck to perform a scan of the code, afterwards it will parse the output and transform it into an Sarif Report, which will be uploaded to Github using the code-scanning API. Please note this requires write-permission for security_events. The result should then be visible within the security-tab. By default this action won't exit with a failure if a vulnerability was found, but it can be configured this way.
For a full list of currently known limitations please head over to here. Listed below are an important overview.
- Govulncheck analyzes function pointer and interface calls conservatively, which may result in false positives or inaccurate call stacks in some cases.
- Calls to functions made using package reflect are not visible to static analysis. Vulnerable code reachable only through those calls will not be reported.
- There is no support for silencing vulnerability findings.
Where can I find the scan results of this action ?
Please be aware there will be no direct output to the console, all found vulnerabilities will be reported to Github via an Sarif Report. Therefore all findings should be located in the Security-Tab under the Code Scanning-Section.
This configuration uses a different version of go (1.18) scans ./... and will fail if at least one vulnerability was found. Also it explicitly sets the github-token.
name: My Workflow
on: [push, pull_request]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Running govulncheck
uses: Templum/govulncheck-action@<version>
with:
go-version: 1.18
vulncheck-version: latest
package: ./...
github-token: ${{ secrets.GITHUB_TOKEN }}
fail-on-vuln: trueThis configuration uses most of the default values, which are specified below. However it skips the upload to Github and instead uses the upload-artifact-action to upload the result directly as build artifact.
name: My Workflow
on: [push, pull_request]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Running govulncheck
uses: Templum/govulncheck-action@<version>
with:
skip-upload: true
- name: Upload Sarif Report
uses: actions/upload-artifact@v3
with:
name: sarif-report
path: govulncheck-report.sarif| Input | Description |
|---|---|
go-version (optional) |
Version of Go used for scanning the code, should equal your runtime version. Defaults to 1.19 |
vulncheck-version (optional) |
Version of govulncheck that should be used, by default latest |
package (optional) |
The package you want to scan, by default will be ./... |
github-token (optional) |
Github Token to upload sarif report. Needs write permissions for security_events |
fail-on-vuln (optional) |
This allows you to specify if the action should fail on encountering any vulnerability, by default it will not |
skip-upload (optional) |
This flag allows you to skip the sarif upload, it will be instead written to disk as govulncheck-report.sarif |
⚠️ Please be aware that go-version should be a valid tag name for the golang dockerhub image.
🔒 Please be aware if the token is not specified it uses
github.tokenfor more details on that check those docs
Golang Vulncheck is not certified by GitHub. It is provided by a third-party and is governed by separate terms of service, privacy policy, and support documentation.
About
Tags
(2)Golang Vulncheck is not certified by GitHub. It is provided by a third-party and is governed by separate terms of service, privacy policy, and support documentation.