This is yet another action using govulncheck to identify vulnerabilities in your Go code.It checks the code against known vulnerabilities published in pkg.go.dev/vuln.
name: "Vulnerability scan"
on:
push:
branches: [ main ]
pull_request:
branches: [ '**' ]
jobs:
ci:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 1
- uses: florianl/[email protected]A more advanced example that includes call stacks and provides a JSON output might look like this:
name: "Vulnerability scan"
on:
push:
branches: [ main ]
pull_request:
branches: [ '**' ]
jobs:
ci:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 1
- uses: florianl/[email protected]
with:
govulncheck-json: true
govulncheck-verbose: trueLet the action install a version of Go. If set to false, the action expects you to have installed Go already. By default Go 1.19 will be installed.
Optional path to the working directory govulncheck should be executed in.
Provide JSON output instead of standard text.
Comma-seprated list of Go build tags.
Print a full call stack for each identified vulnerability.
Specify a verion of govulncheck to install. By default latest will be used.