Written by Jamie Tanna
on 
CC-BY-NC-SA-4.0 Apache-2.0
2 mins

Setting up govulncheck in GitHub Actions with GitHub Code Scanning alerts

Featured image for sharing metadata for article

With oapi-codegen, as many other folks in the ecosystem, we've been asked a few times in the past "can you please update this dependency as it has a CVE".

I'll generally reach for govulncheck as a way to confirm the impact, given it validates - via static analysis - whether the dependency is actually called as part of your operation (sometimes known as "reachability").

Although we're still working towards defining when dependencies with CVEs will be updated, this is a step towards being able to have a better gauge over what's impacted and when.

As a step further from Brandur's thoughts on running govulncheck in CI, we can go a step further to integrate the results into GitHub Code Scanning alerts, for better visibility.

For instance, when running against the "runtime" library, we can see:

A screenshot of the Code Scanning alerts page for the runtime library, which is only accessible to maintainers on the project. In it, we can see there is one CVE - GO-2024-2687 - which is marked as an "Error" as it's a CVE we need to resolve, then there are 4 "Warnings" and 3 "Notes" of lower priority

So how do we do this?

I've found that the following GitHub Actions workflow is the minimal set of configuration needed to get govulncheck's SARIF reporting format out, and then uploaded into GitHub to surface as a Code Scanning alert:

name: Determine known CVEs through `govulncheck`
on:
  push:
    branches:
      - main
  schedule:
    # Mondays at 0000
    - cron: "0 0 * * 1"
jobs:
  check-for-vulnerabilities:
    name: Check for vulnerabilities using `govulncheck`
    runs-on: ubuntu-latest
    permissions:
      security-events: write
      contents: read
    steps:
      - uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee # v1.0.4
        with:
          # NOTE that we want to produce the SARIF-formatted report, which can then be consumed by other tools ...
          output-format: sarif
          output-file: govulncheck.sarif

      # ... such as the Code Scanning tab (https://github.com/oapi-codegen/oapi-codegen/security/code-scanning?query=is%3Aopen+branch%3Amain+tool%3Agovulncheck)
      - name: Upload SARIF file
        uses: github/codeql-action/upload-sarif@192325c86100d080feab897ff886c34abd4c83a3 # v3.30.2
        with:
          sarif_file: govulncheck.sarif
          category: govulncheck

Written by Jamie Tanna's profile image Jamie Tanna on , and last updated on .

Content for this article is shared under the terms of the Creative Commons Attribution Non Commercial Share Alike 4.0 International, and code is shared under the Apache License 2.0.

#blogumentation #go #github-actions #oapi-codegen #security.

This post was filed under articles.

Interactions with this post

Interactions with this post

Below you can find the interactions that this page has had using WebMention.

Have you written a response to this post? Let me know the URL:

Do you not have a website set up with WebMention capabilities? You can use Comment Parade.