Skip to content
Security Scan

deps: Bump golang.org/x/text from 0.37.0 to 0.38.0 #213

Sign in to view logs

deps: Bump golang.org/x/text from 0.37.0 to 0.38.0

deps: Bump golang.org/x/text from 0.37.0 to 0.38.0 #213

Workflow file for this run

.github/workflows/security.yml at 463e6de
# Security scan workflow
name: Security Scan
on:
push:
branches: [main]
pull_request:
branches: [main]
schedule:
# Run weekly on Monday at 00:00 UTC (09:00 JST)
- cron: '0 0 * * 1'
permissions:
contents: read
security-events: write
jobs:
# Go dependency vulnerability scan
govulncheck:
name: Go Vulnerability Check
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v6
- name: Set up Go
uses: actions/setup-go@v6
with:
go-version: '1.26.4'
- name: Install govulncheck
run: go install golang.org/x/vuln/cmd/govulncheck@latest
- name: Run govulncheck
run: govulncheck ./...
# Docker image vulnerability scan
trivy-image:
name: Trivy Image Scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v6
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v4
- name: Build image for scanning
uses: docker/build-push-action@v7
with:
context: .
target: production
load: true
tags: roji:scan
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'roji:scan'
format: 'sarif'
output: 'trivy-image-results.sarif'
severity: 'CRITICAL,HIGH'
ignore-unfixed: true
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v4
if: always()
with:
sarif_file: 'trivy-image-results.sarif'
# Filesystem (dependencies) scan
trivy-fs:
name: Trivy Filesystem Scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v6
- name: Run Trivy filesystem scanner
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: '.'
format: 'sarif'
output: 'trivy-fs-results.sarif'
severity: 'CRITICAL,HIGH'
ignore-unfixed: true
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v4
if: always()
with:
sarif_file: 'trivy-fs-results.sarif'
# Dockerfile best practices check
hadolint:
name: Dockerfile Lint
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v6
- name: Run Hadolint
uses: hadolint/hadolint-action@v3.3.0
with:
dockerfile: Dockerfile
failure-threshold: warning