toolhive-core/.github/workflows/security.yml at main · stacklok/toolhive-core · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
# SPDX-FileCopyrightText: Copyright 2026 Stacklok, Inc.
# SPDX-License-Identifier: Apache-2.0

name: Security

on:
  workflow_call:
  schedule:
    # Run daily at 2 AM UTC
    - cron: '0 2 * * *'

permissions:
  contents: read
  # TODO: Enable once repo is public for SARIF uploads
  # security-events: write

jobs:
  govulncheck:
    name: Go Vulnerability Check
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Run govulncheck
        uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee # v1.0.4
        with:
          go-version-input: 'stable'
          go-package: ./...
          repo-checkout: false

  grype:
    name: Grype Vulnerability Scan
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Run Grype vulnerability scanner
        id: grype-scan
        uses: anchore/scan-action@e1165082ffb1fe366ebaf02d8526e7c4989ea9d2 # v7.4.0
        with:
          path: "."
          output-format: "table"
          fail-build: true
          severity-cutoff: "high"
          only-fixed: true

      # TODO: Enable SARIF upload once repo is public
      # - name: Upload Grype scan results to GitHub Security tab
      #   uses: github/codeql-action/upload-sarif@v3
      #   if: always()
      #   with:
      #     sarif_file: ${{ steps.grype-scan.outputs.sarif }}
      #     category: "grype"