Add a check for vulnerabilities in the Go database

The Trivy vulnerability database has been unavailable lately. Issue: PGO-1893 See: https://go.dev/security/vuln
CrunchyData · Nov 1, 2024 · a9aa456 · a9aa456
1 parent a6ba2e3
commit a9aa456
Showing 1 changed file with 47 additions and 0 deletions.
diff --git a/.github/workflows/govulncheck.yaml b/.github/workflows/govulncheck.yaml
@@ -0,0 +1,47 @@
+# https://go.dev/security/vuln
+name: govulncheck
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+env:
+  # Use the Go toolchain installed by setup-go
+  # https://github.com/actions/setup-go/issues/457
+  GOTOOLCHAIN: local
+
+jobs:
+  vulnerabilities:
+    if: ${{ github.repository == 'CrunchyData/postgres-operator' }}
+    permissions:
+      security-events: write
+
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      # Install Go and produce a SARIF report. This fails only when the tool is
+      # unable to scan.
+      - uses: golang/govulncheck-action@v1
+        with:
+          output-format: 'sarif'
+          output-file: 'govulncheck-results.sarif'
+          repo-checkout: false
+
+      # Submit the SARIF report to GitHub code scanning. Pull request checks
+      # succeed or fail according to branch protection rules.
+      # - https://docs.github.com/en/code-security/code-scanning
+      # TODO: https://go.dev/issue/70157
+      - if: ${{ false }}
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'govulncheck-results.sarif'
+
+      # Print any detected vulnerabilities to the workflow log. This step fails
+      # when the tool detects a vulnerability in code that is called.
+      # - https://go.dev/blog/govulncheck
+      - uses: golang/govulncheck-action@v1
+        with:
+          repo-checkout: false