mirror of
https://github.com/crazy-max/diun.git
synced 2025-12-21 13:23:09 +01:00
govulncheck to report known vulnerabilities
This commit is contained in:
CrazyMax
29
.github/workflows/build.yml
vendored
29
.github/workflows/build.yml
vendored
@@ -145,6 +145,35 @@ jobs:
|
|||||||
directory: ${{ env.DESTDIR }}/coverage
|
directory: ${{ env.DESTDIR }}/coverage
|
||||||
token: ${{ secrets.CODECOV_TOKEN }}
|
token: ${{ secrets.CODECOV_TOKEN }}
|
||||||
|
|
||||||
|
govulncheck:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
permissions:
|
||||||
|
# same as global permission
|
||||||
|
contents: read
|
||||||
|
# required to write sarif report
|
||||||
|
security-events: write
|
||||||
|
steps:
|
||||||
|
-
|
||||||
|
name: Checkout
|
||||||
|
uses: actions/checkout@v4
|
||||||
|
-
|
||||||
|
name: Set up Docker Buildx
|
||||||
|
uses: docker/setup-buildx-action@v3
|
||||||
|
-
|
||||||
|
name: Run
|
||||||
|
uses: docker/bake-action@v6
|
||||||
|
with:
|
||||||
|
source: .
|
||||||
|
targets: govulncheck
|
||||||
|
env:
|
||||||
|
GOVULNCHECK_FORMAT: sarif
|
||||||
|
-
|
||||||
|
name: Upload SARIF report
|
||||||
|
if: ${{ github.ref == 'refs/heads/master' }}
|
||||||
|
uses: github/codeql-action/upload-sarif@v3
|
||||||
|
with:
|
||||||
|
sarif_file: ${{ env.DESTDIR }}/govulncheck.out
|
||||||
|
|
||||||
artifact:
|
artifact:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
needs:
|
needs:
|
||||||
|
|||||||
@@ -171,3 +171,18 @@ target "gen-validate" {
|
|||||||
target = "validate"
|
target = "validate"
|
||||||
output = ["type=cacheonly"]
|
output = ["type=cacheonly"]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
variable "GOVULNCHECK_FORMAT" {
|
||||||
|
default = null
|
||||||
|
}
|
||||||
|
|
||||||
|
target "govulncheck" {
|
||||||
|
inherits = ["_common"]
|
||||||
|
dockerfile = "./hack/govulncheck.Dockerfile"
|
||||||
|
target = "output"
|
||||||
|
args = {
|
||||||
|
FORMAT = GOVULNCHECK_FORMAT
|
||||||
|
}
|
||||||
|
no-cache-filter = ["run"]
|
||||||
|
output = ["${DESTDIR}"]
|
||||||
|
}
|
||||||
|
|||||||
26
hack/govulncheck.Dockerfile
Normal file
26
hack/govulncheck.Dockerfile
Normal file
@@ -0,0 +1,26 @@
|
|||||||
|
# syntax=docker/dockerfile:1
|
||||||
|
|
||||||
|
ARG GO_VERSION="1.24"
|
||||||
|
ARG ALPINE_VERSION="3.22"
|
||||||
|
|
||||||
|
ARG GOVULNCHECK_VERSION="v1.1.4"
|
||||||
|
ARG FORMAT="text"
|
||||||
|
|
||||||
|
FROM golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS base
|
||||||
|
WORKDIR /go/src/github.com/docker/buildx
|
||||||
|
RUN apk add --no-cache moreutils
|
||||||
|
ARG GOVULNCHECK_VERSION
|
||||||
|
RUN --mount=type=cache,target=/root/.cache \
|
||||||
|
--mount=type=cache,target=/go/pkg/mod \
|
||||||
|
go install golang.org/x/vuln/cmd/govulncheck@$GOVULNCHECK_VERSION
|
||||||
|
|
||||||
|
FROM base AS run
|
||||||
|
ARG FORMAT
|
||||||
|
RUN --mount=type=bind,target=. <<EOT
|
||||||
|
set -ex
|
||||||
|
mkdir /out
|
||||||
|
govulncheck -format ${FORMAT} ./... | tee /out/govulncheck.out
|
||||||
|
EOT
|
||||||
|
|
||||||
|
FROM scratch AS output
|
||||||
|
COPY --from=run /out /
|
||||||
Reference in New Issue
Block a user