Security Workflow¶
The security.yml workflow performs comprehensive security analysis with GitHub Code Scanning integration.
Usage¶
permissions:
contents: read
security-events: write
jobs:
security:
uses: go-gamma/actions/.github/workflows/security.yml@v1
permissions:
contents: read
security-events: write
with:
go-version: '1.24'
Security Tools¶
gosec¶
gosec scans for security issues:
- SQL injection
- Command injection
- Hardcoded credentials
- Weak cryptography
- File permission issues
govulncheck¶
govulncheck checks dependencies:
- Known CVEs in dependencies
- Reachability analysis (only reports used vulnerabilities)
- Official Go vulnerability database
GitHub Code Scanning¶
Results are uploaded as SARIF reports, providing:
- Security alerts in the Security tab
- Inline annotations on pull requests
- Historical vulnerability tracking
Inputs¶
| Input | Type | Default | Description |
|---|---|---|---|
go-version | string | '1.24' | Go version |
go-version-file | string | '' | Path to go.mod |
working-directory | string | '.' | Code directory |
run-gosec | boolean | true | Run gosec |
run-govulncheck | boolean | true | Run govulncheck |
upload-sarif | boolean | true | Upload to Code Scanning |
fail-on-vulns | boolean | true | Fail if issues found |
Outputs¶
| Output | Description |
|---|---|
gosec-result | pass or issues-found |
govulncheck-result | pass or vulnerabilities-found |
Examples¶
Warn Only (No Failure)¶
jobs:
security:
uses: go-gamma/actions/.github/workflows/security.yml@v1
with:
go-version: '1.24'
fail-on-vulns: false # Warn but don't fail
govulncheck Only¶
jobs:
security:
uses: go-gamma/actions/.github/workflows/security.yml@v1
with:
go-version: '1.24'
run-gosec: false # Skip gosec
Without Code Scanning¶
jobs:
security:
uses: go-gamma/actions/.github/workflows/security.yml@v1
with:
go-version: '1.24'
upload-sarif: false # Don't upload to Code Scanning
Permissions¶
Required Permissions
SARIF upload requires security-events: write permission:
For private repositories, GitHub Advanced Security may be required.