From c61e325ace91244e670d5b1d954d80fdadb85a54 Mon Sep 17 00:00:00 2001 From: Dwi Siswanto <25837540+dwisiswant0@users.noreply.github.com> Date: Thu, 9 Jan 2025 16:54:13 +0700 Subject: [PATCH] ci: added new `govulncheck` workflow (#5964) * chore(dependabot): added new `security` group Signed-off-by: Dwi Siswanto * ci: added new `govulncheck` workflow Signed-off-by: Dwi Siswanto * chore(dependabot): merge 2 groups Signed-off-by: Dwi Siswanto --------- Signed-off-by: Dwi Siswanto --- .github/dependabot.yml | 6 ++++-- .github/workflows/govulncheck.yaml | 26 ++++++++++++++++++++++++++ 2 files changed, 30 insertions(+), 2 deletions(-) create mode 100644 .github/workflows/govulncheck.yaml diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 1ab75e400a..9e554c00d0 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -8,11 +8,13 @@ updates: commit-message: prefix: "chore" include: "scope" - allow: - - dependency-name: "github.com/projectdiscovery/*" groups: modules: patterns: ["github.com/projectdiscovery/*"] + security: + applies-to: "security-updates" + patterns: ["*"] + exclude-patterns: ["github.com/projectdiscovery/*"] labels: - "Type: Maintenance" diff --git a/.github/workflows/govulncheck.yaml b/.github/workflows/govulncheck.yaml new file mode 100644 index 0000000000..1a116fa8f9 --- /dev/null +++ b/.github/workflows/govulncheck.yaml @@ -0,0 +1,26 @@ +name: 🐛 govulncheck + +on: + schedule: + - cron: '0 0 * * 0' # Weekly + workflow_dispatch: + +jobs: + govulncheck: + runs-on: ubuntu-latest + if: github.repository == 'projectdiscovery/nuclei' + permissions: + actions: read + contents: read + security-events: write + env: + OUTPUT: "/tmp/results.sarif" + steps: + - uses: actions/checkout@v4 + - uses: projectdiscovery/actions/setup/go@v1 + - run: go install golang.org/x/vuln/cmd/govulncheck@latest + - run: govulncheck -scan package -format sarif ./... > $OUTPUT + - uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: "${{ env.OUTPUT }}" + category: "govulncheck"