.github/workflows/security.yml

---
name: Security Checks
on:
  pull_request:
    branches: [main]
  push:
    branches: [main]
  schedule:
    - cron: '0 15 * * 0'

permissions:
  contents: read
  actions: read
  pull-requests: read
  security-events: write

jobs:
  gosec:
    name: Golang Security Checker
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout Source
        uses: actions/checkout@v4
      - name: Run Gosec Security Scanner
        uses: securego/gosec@master
        with:
          args: '-no-fail -fmt sarif -out results.sarif -tests ./...'
      - name: Upload SARIF file
        uses: github/codeql-action/upload-sarif@v3
        with:
          # Path to SARIF file relative to the root of the repository
          sarif_file: results.sarif
  govulncheck:
    name: Govulncheck
    runs-on: ubuntu-22.04
    steps:
      - uses: actions/checkout@v4
      - name: Setup Go
        uses: WillAbides/setup-go-faster@v1.14.0
        with:
          go-version-file: go.mod
      - name: Install govulncheck
        run: go install golang.org/x/vuln/cmd/govulncheck@latest
      - name: Run govulncheck
        run: govulncheck ./...