Add vulnerability check (#15)

* Add vulnerability check * Update action versions * Use go.mod as version source * Fail check step if has erros
th2-net · Mar 4, 2024 · 8ac6105 · 8ac6105
1 parent 5b0f3e5
commit 8ac6105
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 4 deletions.
diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml
@@ -6,12 +6,12 @@ jobs:
   check:
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Set up Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v5
         with:
-          go-version: 1.19
+          go-version-file: go.mod
 
       - name: Install protoc
         run: sudo apt-get update && sudo apt-get install -y protobuf-compiler && protoc --version
@@ -27,7 +27,6 @@ jobs:
             exit 1
           fi
 
-      
       - name: Build sources
         run: make build
       - name: Check sources

diff --git a/.github/workflows/vulnerability_check.yml b/.github/workflows/vulnerability_check.yml
@@ -0,0 +1,27 @@
+name: Check repository for vulnerabilities
+
+on: [push, workflow_dispatch]
+
+jobs:
+  vulnerabilities:
+    env:
+      report-file: report.txt
+    name: Check vulnerabilities
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+      - name: Install govulncheck
+        run: go install golang.org/x/vuln/cmd/govulncheck@latest
+      - name: Run check
+        run: govulncheck -show verbose ./... 2>&1 | tee ${{ env.report-file }}
+      - name: Collect report
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: 'govulncheck-report'
+          path: ${{ env.report-file }}
+          overwrite: true