go-devops/.forgejo/workflows/security-scan.yml

# Reusable security scanning workflow for Go repos
# Usage: uses: core/go-devops/.forgejo/workflows/security-scan.yml@main
#
# Runs: govulncheck, gitleaks, trivy

name: Security Scan

on:
  workflow_call:
    inputs:
      go-version:
        description: Go version to use
        type: string
        default: '1.26'
      trivy-severity:
        description: Trivy severity threshold
        type: string
        default: 'HIGH,CRITICAL'
      gitleaks-version:
        description: Gitleaks version
        type: string
        default: '8.24.3'

jobs:
  govulncheck:
    name: Go Vulnerability Check
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-go@v5
        with:
          go-version: ${{ inputs.go-version }}
      - name: Install govulncheck
        run: go install golang.org/x/vuln/cmd/govulncheck@latest
      - name: Run govulncheck
        run: govulncheck ./...

  gitleaks:
    name: Secret Detection
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Install gitleaks
        run: |
          set -euo pipefail
          GITLEAKS_VERSION="${{ inputs.gitleaks-version }}"
          ARCH=$(uname -m)
          case "$ARCH" in
            x86_64)  ARCH_SUFFIX="x64" ;;
            aarch64) ARCH_SUFFIX="arm64" ;;
            *)       echo "Unsupported arch: $ARCH"; exit 1 ;;
          esac
          URL="https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_${ARCH_SUFFIX}.tar.gz"
          curl -fsSL "$URL" | tar xz -C /usr/local/bin gitleaks
          gitleaks version
      - name: Scan for secrets
        run: gitleaks detect --source . --no-banner

  trivy:
    name: Dependency & Config Scan
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Install Trivy
        run: |
          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
      - name: Filesystem scan
        run: trivy fs --scanners vuln,secret,misconfig --severity ${{ inputs.trivy-severity }} --exit-code 1 .