Skip to content

This action uses govulncheck to perform a scan of the code, afterwards it will parse the output and transform it into an Sarif Report, which will be uploaded to Github using the code-scanning API.

License

Notifications You must be signed in to change notification settings

Templum/govulncheck-action

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace

Repository files navigation

Golang Vulncheck

CI Flow Release Process

This action uses govulncheck to perform a scan of the code, afterwards it will parse the output and transform it into an Sarif Report, which will be uploaded to Github using the code-scanning API. Please note this requires write-permission for security_events. The result should then be visible within the security-tab. By default this action won't exit with a failure if a vulnerability was found, but it can be configured this way.

ℹ️ Limitations of govulncheck ℹ️

For a full list of currently known limitations please head over to here. Listed below are an important overview.

  • Govulncheck analyzes function pointer and interface calls conservatively, which may result in false positives or inaccurate call stacks in some cases.
  • Calls to functions made using package reflect are not visible to static analysis. Vulnerable code reachable only through those calls will not be reported.
  • There is no support for silencing vulnerability findings.

📚 Useful links & resources on govulncheck 📚

  • Official Package Documentation: Link
  • Introduction Blogpost: Link

Usage

Where can I find the scan results of this action ?

Please be aware there will be no direct output to the console, all found vulnerabilities will be reported to Github via an Sarif Report. Therefore all findings should be located in the Security-Tab under the Code Scanning-Section.

Locating Code Scanning

Result List

Example Workflows

This configuration uses a different version of go (1.18) scans ./... and will fail if at least one vulnerability was found.

⚠️ Choosing vulncheck-version: latest can include breaking changes to the JSON format, which will break this action.

name: My Workflow
on: [push, pull_request]
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Scan for Vulnerabilities in Code
        uses: Templum/govulncheck-action@<version>
        with:
          go-version: 1.18
          vulncheck-version: latest
          package: ./...
          fail-on-vuln: true
Example configuration for repository that relies on a private library.

ℹ️ This action for the moment works with personal access token while creating one make sure it has write-read access to the dependent repositories as this is required for $ go get. Further following best practices create the token with the smallest possible scope.

name: My Workflow
on: [push, pull_request]
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Scan for Vulnerabilities in Code
        uses: Templum/govulncheck-action@<version>
        env:
          GH_PAT_TOKEN: ${{ secrets.PAT_TOKEN }}
          GOPRIVATE: "github.com/your-name/private-lib"
This configuration uses most of the default values, which are specified below. However it skips the upload to Github and instead uses the upload-artifact-action to upload the result directly as build artifact.
name: My Workflow
on: [push, pull_request]
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Scan for Vulnerabilities in Code
        uses: Templum/govulncheck-action@<version>
        with:
          skip-upload: true
      - name: Upload Sarif Report
        uses: actions/upload-artifact@v3
        with:
          name: sarif-report
          path: govulncheck-report.sarif
This configuration shows how to grant required permissions to the action in case you run into permission issues.
name: My Workflow
on: [push, pull_request]
permissions: 
  security-events: write
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Scan for Vulnerabilities in Code
        uses: Templum/govulncheck-action@<version>
The following configuration sets the action into DEBUG Mode. Which features verbose logging and allows access to the raw govulncheck JSON report.
name: My Debug Workflow
on: [push, pull_request]
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Scan for Vulnerabilities in Code
        uses: Templum/govulncheck-action@<version>
        with:
          skip-upload: true
        env:
          DEBUG: "true"
      - name: Upload Report
        uses: actions/upload-artifact@v3
        with:
          name: raw-report
          path: raw-report.json

Inputs

Input Description
go-version (optional) Version of Go used for scanning the code, should equal your runtime version. Defaults to 1.21.4
vulncheck-version (optional) Version of govulncheck that should be used, by default v1.0.0
package (optional) The package you want to scan, by default will be ./...
github-token (optional) Github Token to upload sarif report. Needs write permissions for security_events
fail-on-vuln (optional) This allows you to specify if the action should fail on encountering any vulnerability, by default it will not
skip-upload (optional) This flag allows you to skip the sarif upload, it will be instead written to disk as govulncheck-report.sarif

⚠️ Please be aware that go-version should be a valid tag name for the golang dockerhub image.

🔒 Please be aware if the token is not specified it uses github.token for more details on that check those docs