tree: fffcec50cc9da25115a798f91d825e089c3046de [path history] [tgz]
  1. action.yml
  2. CONTRIBUTING.md
  3. LICENSE
  4. PATENTS
  5. README.md
README.md

GitHub Action for govulncheck

This repository holds the GitHub Action for govulncheck. Govulncheck reports known vulnerabilities that affect Go code. It uses static analysis of source code or a binary's symbol table to narrow down reports to only those that could affect the application. You can read more about govulncheck at https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck.

The govulncheck GitHub Action is currently experimental and is under active development.

Using the govulncheck GitHub Action

To use the govulncheck GitHub Action add the following step to your workflow:

- id: govulncheck
  uses: golang/govulncheck-action@v1

By default the govulncheck Github Action will run with the latest version of Go using the ./... package path:

govulncheck ./...

If you would like to specify a specific version of Go to use or a different package path to run govulncheck against then you can do so by adding the following step to your workflow:

- id: govulncheck
  uses: golang/govulncheck-action@v1
  with:
     go-version-input: 1.XX
     go-package: ./...

Below is a full example of a workflow that runs govulncheck against a simple repository on every push:

on: [push]

jobs:
  govulncheck_job:
    runs-on: ubuntu-latest
    name: Run govulncheck
    steps:
      - id: govulncheck
        uses: golang/govulncheck-action@v1
        with:
           go-version-input: 1.20.3

When this workflow finds a vulnerability you will see an error in the Run govulncheck job like the one below. The output contains information about the vulnerability and how to fix it:

image

Report Issues / Send Patches

This repository uses Gerrit for code changes. To learn how to submit changes to this repository, see https://go.dev/doc/contribute.html.

The main issue tracker for the time repository is located at https://github.com/golang/go/issues. Prefix your issue with “x/govulncheck-action:” in the subject line, so it is easy to find.