govulncheck-action's Introduction

govulncheck-action

This is yet another action using govulncheck to identify vulnerabilities in your Go code.It checks the code against known vulnerabilities published in pkg.go.dev/vuln.

Usage

name: "Vulnerability scan"

on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ '**' ]

jobs:
  ci:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v3
      with:
        fetch-depth: 1
    - uses: florianl/[email protected]

A more advanced example that includes call stacks and provides a JSON output might look like this:

name: "Vulnerability scan"

on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ '**' ]

jobs:
  ci:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v3
      with:
        fetch-depth: 1
    - uses: florianl/[email protected]
      with:
        govulncheck-json: true
        govulncheck-verbose: true

Options

`install-go`

Let the action install a version of Go. If set to false, the action expects you to have installed Go already. By default Go 1.19 will be installed.

`working-directory`

Optional path to the working directory govulncheck should be executed in.

`govulncheck-json`

Provide JSON output instead of standard text.

`govulncheck-tags`

Comma-seprated list of Go build tags.

`govulncheck-verbose`

Print a full call stack for each identified vulnerability.

`govulncheck-version`

Specify a verion of govulncheck to install. By default latest will be used.

govulncheck-action's People

Contributors

Stargazers

Watchers

govulncheck-action's Issues

Fails when working directory is not set

I created an action based off of the examples in the README: https://github.com/capnspacehook/egress-eddie/blob/59f4022b84449d4c5e3e77f269d990345fda8838/.github/workflows/vuln.yml

It failed when trying to cd to the working directory, which defaulted to ..

Output:

Run florianl/[email protected]
  with:
    install-go: false
    govulncheck-verbose: true
    working-directory: .
    govulncheck-version: latest
    govulncheck-json: false
Run if [[ "${json}" != "false" ]] ; then
  if [[ "${json}" != "false" ]] ; then
    flags+=" -json"
  fi
  if [ -z "${tags}" ] ; then
    flags+=" -tags ${tags}"
  fi
  if [[ "${verbose}" != "false" ]] ; then
    flags+=" -v"
  fi
  go install "golang.org/x/vuln/cmd/govulncheck@${version}"
  cd ${working-directory}
  $(go env GOPATH)/bin/govulncheck ./...
  shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
  env:
    json: false
    tags: 
    verbose: true
    version: latest
    working-directory: .
    flags: 
go: downloading golang.org/x/vuln v0.0.0-20220923181559-cbe0a6944b8b
go: downloading golang.org/x/tools v0.1.13-0.20220803210227-8b9a1fbdf5c3
go: downloading golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e
go: downloading golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4
go: downloading golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f
/home/runner/work/_temp/e6b30d32-3608-470d-bda1-3fb466e96224.sh: line 11: cd: directory: No such file or directory
Error: Process completed with exit code 1.

Recommend Projects