govulncheck to report known vulnerabilities

2025-12-21 13:23:09 +01:00 · 2025-08-03 21:09:26 +02:00
parent e75fe25620
commit 2878c49f26
3 changed files with 70 additions and 0 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -145,6 +145,35 @@ jobs:
          directory: ${{ env.DESTDIR }}/coverage
          token: ${{ secrets.CODECOV_TOKEN }}

+  govulncheck:
+    runs-on: ubuntu-latest
+    permissions:
+      # same as global permission
+      contents: read
+      # required to write sarif report
+      security-events: write
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      -
+        name: Run
+        uses: docker/bake-action@v6
+        with:
+          source: .
+          targets: govulncheck
+        env:
+          GOVULNCHECK_FORMAT: sarif
+      -
+        name: Upload SARIF report
+        if: ${{ github.ref == 'refs/heads/master' }}
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ${{ env.DESTDIR }}/govulncheck.out
+
  artifact:
    runs-on: ubuntu-latest
    needs:
--- a/docker-bake.hcl
+++ b/docker-bake.hcl
@@ -171,3 +171,18 @@ target "gen-validate" {
  target = "validate"
  output = ["type=cacheonly"]
 }
+
+variable "GOVULNCHECK_FORMAT" {
+  default = null
+}
+
+target "govulncheck" {
+  inherits = ["_common"]
+  dockerfile = "./hack/govulncheck.Dockerfile"
+  target = "output"
+  args = {
+    FORMAT = GOVULNCHECK_FORMAT
+  }
+  no-cache-filter = ["run"]
+  output = ["${DESTDIR}"]
+}
--- a/hack/govulncheck.Dockerfile
+++ b/hack/govulncheck.Dockerfile
@@ -0,0 +1,26 @@
+# syntax=docker/dockerfile:1
+
+ARG GO_VERSION="1.24"
+ARG ALPINE_VERSION="3.22"
+
+ARG GOVULNCHECK_VERSION="v1.1.4"
+ARG FORMAT="text"
+
+FROM golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS base
+WORKDIR /go/src/github.com/docker/buildx
+RUN apk add --no-cache moreutils
+ARG GOVULNCHECK_VERSION
+RUN --mount=type=cache,target=/root/.cache \
+    --mount=type=cache,target=/go/pkg/mod \
+    go install golang.org/x/vuln/cmd/govulncheck@$GOVULNCHECK_VERSION
+
+FROM base AS run
+ARG FORMAT
+RUN --mount=type=bind,target=. <<EOT
+  set -ex
+  mkdir /out
+  govulncheck -format ${FORMAT} ./... | tee /out/govulncheck.out
+EOT
+
+FROM scratch AS output
+COPY --from=run /out /