Security Scan #132
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security Scan | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| schedule: | |
| # Run daily at 2 AM UTC | |
| - cron: "0 2 * * *" | |
| workflow_dispatch: | |
| # Concurrency control to prevent multiple runs | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| # Top-level permissions: read-all for security | |
| permissions: read-all | |
| jobs: | |
| dependency-submission: | |
| name: Go Dependency Submission | |
| runs-on: ubuntu-latest | |
| if: "github.event_name == 'push' && github.ref == 'refs/heads/main' && !startsWith(github.event.head_commit.message, 'chore:')" | |
| permissions: | |
| contents: write | |
| env: | |
| GO_VERSION: "1.24" | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Setup Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: Submit Go dependencies | |
| uses: actions/go-dependency-submission@v2 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| codeql: | |
| name: CodeQL Security Analysis (Go) | |
| runs-on: ubuntu-latest | |
| if: "!startsWith(github.event.head_commit.message, 'chore:')" | |
| env: | |
| GO_VERSION: "1.24" | |
| permissions: | |
| security-events: write | |
| actions: read | |
| contents: read | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Setup Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v4 | |
| with: | |
| languages: go | |
| queries: security-and-quality | |
| - name: Build Go Application | |
| run: | | |
| go build -v ./cmd/wand | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v4 | |
| continue-on-error: true | |
| with: | |
| category: go-application | |
| secret-scanning: | |
| name: Secret & Credential Scanning | |
| runs-on: ubuntu-latest | |
| if: "!startsWith(github.event.head_commit.message, 'chore:')" | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Install Gitleaks | |
| run: | | |
| wget https://github.com/gitleaks/gitleaks/releases/download/v8.22.1/gitleaks_8.22.1_linux_x64.tar.gz | |
| tar -xzf gitleaks_8.22.1_linux_x64.tar.gz | |
| sudo mv gitleaks /usr/local/bin/ | |
| gitleaks version | |
| - name: Run Gitleaks Scan | |
| run: gitleaks detect --source . --verbose --no-git | |
| go-static-analysis: | |
| name: Go Static Analysis | |
| runs-on: ubuntu-latest | |
| if: "!startsWith(github.event.head_commit.message, 'chore:')" | |
| env: | |
| GO_VERSION: "1.24" | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Setup Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: Run go vet | |
| run: go vet ./... | |
| - name: Run staticcheck | |
| run: | | |
| go install honnef.co/go/tools/cmd/staticcheck@2025.1.1 | |
| staticcheck ./... | |
| - name: Run gosec (Security Checker) | |
| run: | | |
| go install github.com/securego/gosec/v2/cmd/gosec@v2.22.10 | |
| gosec -fmt=json -out=gosec-report.json ./... | |
| continue-on-error: true | |
| - name: Upload gosec Report | |
| uses: actions/upload-artifact@v4 | |
| if: always() | |
| with: | |
| name: gosec-security-report | |
| path: gosec-report.json | |
| retention-days: 30 | |
| go-vulnerability-scan: | |
| name: Go Vulnerability Scanning | |
| runs-on: ubuntu-latest | |
| if: "!startsWith(github.event.head_commit.message, 'chore:')" | |
| env: | |
| GO_VERSION: "1.24" | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Setup Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: Run govulncheck | |
| run: | | |
| echo "π Scanning Go application for known vulnerabilities..." | |
| go install golang.org/x/vuln/cmd/govulncheck@v1.1.4 | |
| govulncheck -json ./... > govulncheck-report.json || true | |
| echo "" | |
| echo "π Vulnerability Summary:" | |
| govulncheck ./... | |
| - name: List Go Dependencies | |
| run: | | |
| echo "π¦ Go Module Dependencies:" | |
| go list -m all | |
| echo "" | |
| echo "π² Dependency Tree:" | |
| go mod graph | head -20 | |
| # Export full dependency list | |
| go list -json -m all > go-dependencies.json | |
| - name: Upload Vulnerability Reports | |
| uses: actions/upload-artifact@v4 | |
| if: always() | |
| with: | |
| name: go-vulnerability-reports | |
| path: | | |
| govulncheck-report.json | |
| go-dependencies.json | |
| retention-days: 30 | |
| dependency-review: | |
| name: Go Dependency Review | |
| runs-on: ubuntu-latest | |
| env: | |
| GO_VERSION: "1.24" | |
| if: "github.event_name == 'pull_request' && !startsWith(github.event.head_commit.message, 'chore:')" | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Setup Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: Dependency Review | |
| uses: actions/dependency-review-action@v4 | |
| continue-on-error: true | |
| with: | |
| fail-on-severity: moderate | |
| base-ref: ${{ github.event.pull_request.base.sha }} | |
| head-ref: ${{ github.event.pull_request.head.sha }} | |
| go-license-check: | |
| name: Go License Compliance | |
| runs-on: ubuntu-latest | |
| if: "!startsWith(github.event.head_commit.message, 'chore:')" | |
| env: | |
| GO_VERSION: "1.24" | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Setup Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: Check Go Module Licenses | |
| run: | | |
| go install github.com/google/go-licenses/v2@v2.0.1 | |
| go-licenses report ./cmd/wand > licenses-report.txt || true | |
| echo "π License Summary:" | |
| cat licenses-report.txt | |
| - name: Upload License Report | |
| uses: actions/upload-artifact@v4 | |
| if: always() | |
| with: | |
| name: go-license-report | |
| path: licenses-report.txt | |
| retention-days: 30 | |
| openssf-scorecard: | |
| name: OpenSSF Security Scorecard | |
| runs-on: ubuntu-latest | |
| if: "!startsWith(github.event.head_commit.message, 'chore:')" | |
| permissions: | |
| security-events: write | |
| id-token: write | |
| contents: read | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| with: | |
| persist-credentials: false | |
| - name: Run Scorecard Analysis | |
| uses: ossf/scorecard-action@v2.4.3 | |
| continue-on-error: true | |
| with: | |
| results_file: results.sarif | |
| results_format: sarif | |
| publish_results: true | |
| - name: Upload SARIF Results | |
| uses: github/codeql-action/upload-sarif@v4 | |
| continue-on-error: true | |
| with: | |
| sarif_file: results.sarif | |
| summary: | |
| name: Security Scan Summary | |
| needs: | |
| [ | |
| codeql, | |
| secret-scanning, | |
| go-static-analysis, | |
| go-vulnerability-scan, | |
| go-license-check, | |
| openssf-scorecard, | |
| ] | |
| if: always() | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Generate Summary | |
| run: | | |
| echo "# Wand Security Scan Summary" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "## Scan Results" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "- CodeQL Analysis: ${{ needs.codeql.result }}" >> $GITHUB_STEP_SUMMARY | |
| echo "- Secret Scanning: ${{ needs.secret-scanning.result }}" >> $GITHUB_STEP_SUMMARY | |
| echo "- Static Analysis: ${{ needs.go-static-analysis.result }}" >> $GITHUB_STEP_SUMMARY | |
| echo "- Vulnerability Scan: ${{ needs.go-vulnerability-scan.result }}" >> $GITHUB_STEP_SUMMARY | |
| echo "- License Check: ${{ needs.go-license-check.result }}" >> $GITHUB_STEP_SUMMARY | |
| echo "- OpenSSF Scorecard: ${{ needs.openssf-scorecard.result }}" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "## Security Features" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "This workflow scans the **wand package manager** application:" >> $GITHUB_STEP_SUMMARY | |
| echo "- β Go source code security (CodeQL)" >> $GITHUB_STEP_SUMMARY | |
| echo "- β Go dependencies vulnerabilities (govulncheck)" >> $GITHUB_STEP_SUMMARY | |
| echo "- β Static analysis (go vet, staticcheck, gosec)" >> $GITHUB_STEP_SUMMARY | |
| echo "- β Secret detection (Gitleaks)" >> $GITHUB_STEP_SUMMARY | |
| echo "- β License compliance" >> $GITHUB_STEP_SUMMARY | |
| echo "- β Repository security best practices (Scorecard)" >> $GITHUB_STEP_SUMMARY |