govulncheck-action: Adding the initial version of the govulncheck github action & README

Change-Id: I1e5ea64b91d6f10147c0632441df189de5e486b3
Reviewed-on: https://go-review.googlesource.com/c/govulncheck-action/+/494038
Reviewed-by: Brandon Kessler <bkessler@google.com>
Auto-Submit: Brandon Kessler <bkessler@google.com>
TryBot-Bypass: Brandon Kessler <bkessler@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
Run-TryBot: Brandon Kessler <bkessler@google.com>
2 files changed
tree: aa4d1a99cfe3774f1dc3006fe8371fb673dc557e
  1. action.yml
  2. CONTRIBUTING.md
  3. LICENSE
  4. PATENTS
  5. README.md
README.md

GitHub Action for govulncheck

This repository holds the GitHub Action for govulncheck. Govulncheck reports known vulnerabilities that affect Go code. It uses static analysis of source code or a binary's symbol table to narrow down reports to only those that could affect the application. You can read more about govulncheck at https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck.

The govulncheck GitHub Action is currently experimental and is under active development.

Using the govulncheck GitHub Action

To use the govulncheck GitHub Action add the following step to your workflow:

- id: govulncheck
  uses: golang/govulncheck-action@v1

By default the govulncheck Github Action will run with the latest version of Go using the ./... package path:

govulncheck ./...

If you would like to specify a specific version of Go to use or a different package path to run govulncheck against then you can do so by adding the following step to your workflow:

- id: govulncheck
  uses: golang/govulncheck-action@v1
  with:
     go-version-input: 1.XX
     go-package: ./...

Below is a full example of a workflow that runs govulncheck against a simple repository on every push:

on: [push]

jobs:
  govulncheck_job:
    runs-on: ubuntu-latest
    name: Run govulncheck
    steps:
      - id: govulncheck
        uses: golang/govulncheck-action@v1
        with:
           go-version-input: 1.20.3

When this workflow finds a vulnerability you will see an error in the Run govulncheck job like the one below. The output contains information about the vulnerability and how to fix it:

image

Report Issues / Send Patches

This repository uses Gerrit for code changes. To learn how to submit changes to this repository, see https://go.dev/doc/contribute.html.

The main issue tracker for the time repository is located at https://github.com/golang/go/issues. Prefix your issue with “x/govulncheck-action:” in the subject line, so it is easy to find.