Go provides tooling to analyze your codebase and surface known vulnerabilities. This tooling is backed by the Go vulnerability database, which is curated by the Go security team. Go’s tooling reduces noise in your results by only surfacing vulnerabilities in functions that your code is actually calling.
Important: The go version used to build
govulncheckmust match the version used in your project. Use the inputgo-versionto specify the version to be used. If not provided the latest version available will be used by default.For more information about this requirement please refer to this issue golang/go#55045.
More information: Vulnerability Management for Go.
Sample step configuration.
steps:
# Vulnerabilities scan
- name: Go vulnerabilities scan
uses: bryk-io/govuln-scan-action@v0.2.0Sample workflow file.
name: scan
on:
# To manually run
workflow_dispatch: {}
# To automatically run for all commits on branch 'main'
push:
branches:
- main
jobs:
# govulncheck scan
scan:
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
# Checkout code
- name: Checkout repository
uses: actions/checkout@v3
# Vulnerabilities scan
- name: Go vulnerabilities scan
uses: bryk-io/govuln-scan-action@v0.2.0
with:
go-version: "1.20" # optionalTo manually trigger this workflow using GitHub's CLI tool.
gh workflow run scan