# Reusable security scanning workflow for Go repos # Usage: uses: core/go-devops/.forgejo/workflows/security-scan.yml@main # # Runs: govulncheck, gitleaks, trivy name: Security Scan on: workflow_call: inputs: go-version: description: Go version to use type: string default: '1.26' trivy-severity: description: Trivy severity threshold type: string default: 'HIGH,CRITICAL' gitleaks-version: description: Gitleaks version type: string default: '8.24.3' jobs: govulncheck: name: Go Vulnerability Check runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: actions/setup-go@v5 with: go-version: ${{ inputs.go-version }} - name: Install govulncheck run: go install golang.org/x/vuln/cmd/govulncheck@latest - name: Run govulncheck run: govulncheck ./... gitleaks: name: Secret Detection runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 with: fetch-depth: 0 - name: Install gitleaks run: | set -euo pipefail GITLEAKS_VERSION="${{ inputs.gitleaks-version }}" ARCH=$(uname -m) case "$ARCH" in x86_64) ARCH_SUFFIX="x64" ;; aarch64) ARCH_SUFFIX="arm64" ;; *) echo "Unsupported arch: $ARCH"; exit 1 ;; esac URL="https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_${ARCH_SUFFIX}.tar.gz" curl -fsSL "$URL" | tar xz -C /usr/local/bin gitleaks gitleaks version - name: Scan for secrets run: gitleaks detect --source . --no-banner trivy: name: Dependency & Config Scan runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Install Trivy run: | curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin - name: Filesystem scan run: trivy fs --scanners vuln,secret,misconfig --severity ${{ inputs.trivy-severity }} --exit-code 1 .