commit | 36fe93a417951e0be24d0bcfd3a712152d6f91af | [log] [tgz] |
---|---|---|
author | Brandon Kessler <bkessler@google.com> | Thu May 11 12:09:18 2023 -0400 |
committer | Brandon Kessler <bkessler@google.com> | Mon May 15 17:18:47 2023 +0000 |
tree | aa4d1a99cfe3774f1dc3006fe8371fb673dc557e | |
parent | a197ae39e55573b3a0e752b9bd72f457a458adf6 [diff] |
govulncheck-action: Adding the initial version of the govulncheck github action & README Change-Id: I1e5ea64b91d6f10147c0632441df189de5e486b3 Reviewed-on: https://go-review.googlesource.com/c/govulncheck-action/+/494038 Reviewed-by: Brandon Kessler <bkessler@google.com> Auto-Submit: Brandon Kessler <bkessler@google.com> TryBot-Bypass: Brandon Kessler <bkessler@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> Run-TryBot: Brandon Kessler <bkessler@google.com>
This repository holds the GitHub Action for govulncheck. Govulncheck reports known vulnerabilities that affect Go code. It uses static analysis of source code or a binary's symbol table to narrow down reports to only those that could affect the application. You can read more about govulncheck at https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck.
The govulncheck GitHub Action is currently experimental and is under active development.
To use the govulncheck GitHub Action add the following step to your workflow:
- id: govulncheck uses: golang/govulncheck-action@v1
By default the govulncheck Github Action will run with the latest version of Go using the ./... package path:
govulncheck ./...
If you would like to specify a specific version of Go to use or a different package path to run govulncheck against then you can do so by adding the following step to your workflow:
- id: govulncheck uses: golang/govulncheck-action@v1 with: go-version-input: 1.XX go-package: ./...
Below is a full example of a workflow that runs govulncheck against a simple repository on every push:
on: [push] jobs: govulncheck_job: runs-on: ubuntu-latest name: Run govulncheck steps: - id: govulncheck uses: golang/govulncheck-action@v1 with: go-version-input: 1.20.3
When this workflow finds a vulnerability you will see an error in the Run govulncheck job like the one below. The output contains information about the vulnerability and how to fix it:
This repository uses Gerrit for code changes. To learn how to submit changes to this repository, see https://go.dev/doc/contribute.html.
The main issue tracker for the time repository is located at https://github.com/golang/go/issues. Prefix your issue with “x/govulncheck-action:” in the subject line, so it is easy to find.