.github/workflows/security.yml

---
name: Security Checks
on:
  pull_request:
    branches: [main]
  push:
    branches: [main]
  schedule:
    - cron: '0 15 * * 0'

permissions:
  contents: read
  actions: read
  pull-requests: read
  security-events: write

jobs:
  gosec:
    name: Golang Security Checker
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout Source
        uses: actions/checkout@v4
      - name: Run Gosec Security Scanner
        uses: securego/gosec@v2.21.4
        with:
          args: '-no-fail -fmt sarif -out results.sarif -tests ./...'
      - name: Upload SARIF file
        uses: github/codeql-action/upload-sarif@v3
        with:
          # Path to SARIF file relative to the root of the repository
          sarif_file: results.sarif
  govulncheck:
    name: Govulncheck
    runs-on: ubuntu-22.04
    steps:
      - uses: actions/checkout@v4
      - name: Setup Go
        uses: WillAbides/setup-go-faster@v1.14.0
        with:
          go-version-file: go.mod
      - id: govulncheck
        uses: golang/govulncheck-action@v1.0.3
        with:
          output-format: sarif
          output-file: results.sarif
      - name: Fix SARIF format
        run: yq --inplace --output-format json '.runs |= map ({"results":[]} + .)' results.sarif
      - name: Upload SARIF file
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: results.sarif