Skip to content
You're viewing an older version of this GitHub Action. Do you want to see the latest version instead?
alert-octagon

GitHub Action

Golang Vulncheck

v0.0.6

Golang Vulncheck

alert-octagon

Golang Vulncheck

Performs vulnerability scan using govulncheck and afterwards uploads it as Sarif Report to Github

Installation

Copy and paste the following snippet into your .yml file.

 
              
- name: Golang Vulncheck

              
  uses: Templum/[email protected]
Learn more about this action in Templum/govulncheck-action

Choose a version

Golang Vulncheck

CI Flow Release Process

This action uses govulncheck to perform a scan of the code, afterwards it will parse the output and transform it into an Sarif Report, which will be uploaded to Github using the code-scanning API. Please note this requires write-permission for security_events. The result should then be visible within the security-tab. By default this action won't exit with a failure if a vulnerability was found, but it can be configured this way.

ℹ️ Limitations of govulncheck ℹ️

For a full list of currently known limitations please head over to here. Listed below are an important overview.

  • Govulncheck only reads binaries compiled with Go 1.18 and later.
  • Govulncheck only reports vulnerabilities that apply to the current Go build system and configuration (GOOS/GOARCH settings).

📚 Useful links & resources on govulncheck 📚

  • Official Package Documentation: Link
  • Introduction Blogpost: Link

Usage

Example Workflows

This configuration uses a different version of go (1.18) scans ./... and will fail if at least one vulnerability was found. Also it explicitly sets the github-token. 
name: My Workflow
on: [push, pull_request]
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Running govulncheck
        uses: Templum/govulncheck-action@<version>
        with:
          go-version: 1.18
          vulncheck-version: latest
          package: ./...
          github-token: ${{ secrets.GITHUB_TOKEN }}
          fail-on-vuln: true
This configuration uses most of the default values, which are specified below. However it skips the upload to Github and instead uses the upload-artifact-action to upload the result directly as build artifact. 
name: My Workflow
on: [push, pull_request]
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Running govulncheck
        uses: Templum/govulncheck-action@<version>
        with:
          skip-upload: true
      - name: Upload Sarif Report
        uses: actions/upload-artifact@v3
        with:
          name: sarif-report
          path: govulncheck-report.sarif

Inputs

Input Description
go-version (optional) Version of Go used for scanning the code, should equal your runtime version. Defaults to 1.19
vulncheck-version (optional) Version of govulncheck that should be used, by default latest
package (optional) The package you want to scan, by default will be ./...
github-token (optional) Github Token to upload sarif report. Needs write permissions for security_events
fail-on-vuln (optional) This allows you to specify if the action should fail on encountering any vulnerability, by default it will not
skip-upload (optional) This flag allows you to skip the sarif upload, it will be instead written to disk as govulncheck-report.sarif

⚠️ Please be aware that go-version should be a valid tag name for the golang dockerhub image.

🔒 Please be aware if the token is not specified it uses github.token for more details on that check those docs