Security Scan #80
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security Scan | |
| on: | |
| schedule: | |
| # Run weekly on Sunday at 2 AM UTC | |
| - cron: '0 2 * * 0' | |
| push: | |
| branches: [ main ] | |
| pull_request: | |
| branches: [ main ] | |
| permissions: | |
| contents: read | |
| security-events: write | |
| pull-requests: write | |
| jobs: | |
| security-scan: | |
| name: Security Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Check out code | |
| uses: actions/checkout@v6 | |
| - name: Set up Go | |
| uses: actions/setup-go@v6 | |
| with: | |
| go-version: 1.24 | |
| cache: true | |
| - name: Download dependencies | |
| run: go mod download | |
| - name: Run govulncheck | |
| uses: golang/govulncheck-action@v1 | |
| with: | |
| go-version-input: 1.24 | |
| go-package: ./... | |
| repo-checkout: false | |
| - name: Run Nancy vulnerability scanner for Go modules | |
| run: | | |
| go list -json -m all | docker run --rm -i sonatypecommunity/nancy:latest sleuth | |
| continue-on-error: true | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| scan-type: 'fs' | |
| scan-ref: '.' | |
| format: 'sarif' | |
| output: 'trivy-results.sarif' | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v4 | |
| if: always() | |
| with: | |
| sarif_file: 'trivy-results.sarif' | |
| dependency-review: | |
| name: Dependency Review | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'pull_request' | |
| steps: | |
| - name: Check out code | |
| uses: actions/checkout@v6 | |
| - name: Dependency Review | |
| uses: actions/dependency-review-action@v4 | |
| with: | |
| fail-on-severity: moderate | |
| #allow-licenses: MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC, MPL-2.0 | |
| deny-licenses: GPL-2.0, GPL-3.0, LGPL-2.1, LGPL-3.0, AGPL-3.0 | |
| comment-summary-in-pr: true | |
| codeql: | |
| name: CodeQL Analysis | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'schedule' || github.event_name == 'push' | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| language: [ 'go' ] | |
| steps: | |
| - name: Check out code | |
| uses: actions/checkout@v6 | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v4 | |
| with: | |
| languages: ${{ matrix.language }} | |
| queries: +security-and-quality | |
| - name: Set up Go | |
| uses: actions/setup-go@v6 | |
| with: | |
| go-version: 1.24 | |
| cache: true | |
| - name: Build for CodeQL | |
| run: | | |
| go mod download | |
| go build ./cmd/git-pr-cli | |
| go build ./cmd/git-pr-mcp | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v4 | |
| with: | |
| category: "/language:${{matrix.language}}" | |
| secret-scan: | |
| name: Secret Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Check out code | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| - name: Run gitleaks secret scanner | |
| uses: gitleaks/gitleaks-action@v2 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| license-check: | |
| name: License Check | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Check out code | |
| uses: actions/checkout@v6 | |
| - name: Set up Go | |
| uses: actions/setup-go@v6 | |
| with: | |
| go-version: 1.24 | |
| cache: true | |
| - name: Download dependencies | |
| run: go mod download | |
| - name: Install go-licenses | |
| run: go install github.com/google/go-licenses@latest | |
| - name: Check licenses | |
| run: | | |
| go-licenses check ./cmd/git-pr-cli | |
| go-licenses check ./cmd/git-pr-mcp | |
| - name: Save license information | |
| run: | | |
| echo "# License Report" > license-report.md | |
| echo "" >> license-report.md | |
| echo "## CLI Dependencies" >> license-report.md | |
| go-licenses csv ./cmd/git-pr-cli >> cli-licenses.csv || true | |
| if [ -f cli-licenses.csv ]; then | |
| echo '```' >> license-report.md | |
| cat cli-licenses.csv >> license-report.md | |
| echo '```' >> license-report.md | |
| fi | |
| echo "" >> license-report.md | |
| echo "## MCP Server Dependencies" >> license-report.md | |
| go-licenses csv ./cmd/git-pr-mcp >> mcp-licenses.csv || true | |
| if [ -f mcp-licenses.csv ]; then | |
| echo '```' >> license-report.md | |
| cat mcp-licenses.csv >> license-report.md | |
| echo '```' >> license-report.md | |
| fi | |
| - name: Upload license report | |
| uses: actions/upload-artifact@v6 | |
| with: | |
| name: license-report | |
| path: | | |
| license-report.md | |
| cli-licenses.csv | |
| mcp-licenses.csv | |
| retention-days: 30 |