Govulncheck Scan & Issue Creator #45
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: 'Govulncheck Scan & Issue Creator' | |
| on: | |
| workflow_dispatch: | |
| schedule: | |
| # 8:00 every day. | |
| - cron: '0 8 * * *' | |
| jobs: | |
| scan-and-report: | |
| name: Run govulncheck and Create Issue | |
| runs-on: ubuntu-24.04 | |
| permissions: | |
| contents: read # To check out code | |
| issues: write # To create issues | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v5 | |
| - name: Set up Go | |
| uses: actions/setup-go@v6 | |
| with: | |
| go-version-file: "go.mod" | |
| - name: Install govulncheck | |
| run: go install golang.org/x/vuln/cmd/govulncheck@latest | |
| - name: Run govulncheck and count findings | |
| id: govulncheck-scan | |
| run: | | |
| # Run with -json (which never fails) and save to a file | |
| govulncheck -json ./... | jq 'select(.finding)' > results.json | |
| # Count the number of unique vulnerabilities using jq | |
| COUNT=$(jq -s '[.[] | .finding.osv] | unique | length' results.json) | |
| echo "Found $COUNT vulnerabilities." | |
| # Set an output for the next steps to use | |
| echo "vuln_count=$COUNT" >> $GITHUB_OUTPUT | |
| cat results.json | |
| - name: Create GitHub Issue (if vulns found) | |
| if: steps.govulncheck-scan.outputs.vuln_count > 0 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| GH_REPO: ${{ github.repository }} | |
| ISSUE_TITLE: "govulncheck: security vulnerabilities detected in ${{ github.ref_name }} branch" | |
| ISSUE_BODY: "**Automated Vulnerability Report**\n\n`govulncheck` found **${{ steps.govulncheck-scan.outputs.vuln_count }}** vulnerabilities on the `${{ github.ref_name }}` branch.\n\nPlease review the full scan results in the workflow run for details:\n${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}\n\nLink to tutorial: https://go.dev/doc/tutorial/govulncheck \n\n**Action Items:**\n- [ ] Install govulncheck with `go install golang.org/x/vuln/cmd/govulncheck@latest`\n- [ ] Run `govulncheck ./...`\n- [ ] Read the stack trace\n- [ ] Run `go get -u [dependency]` for vulnerabilities to address them\n- [ ] Run `go mod tidy` to clean up go.mod and go.sum files after updating dependencies\n- [ ] Raise PR to fix and close this issue\n" | |
| run: | | |
| # Check if an open issue with this exact title already exists | |
| EXISTING_ISSUE=$(gh issue list --state open --search "in:title \"$ISSUE_TITLE\"" --json number -R $GH_REPO) | |
| if [[ "$EXISTING_ISSUE" == "[]" ]]; then | |
| echo "No existing issue found. Creating a new one." | |
| gh issue create --title "$ISSUE_TITLE" --body "$(echo -e "$ISSUE_BODY")" -R $GH_REPO | |
| else | |
| echo "An open issue with this title already exists. Skipping creation." | |
| fi |