Update GoSec workflow to latest version and add token fine-scoped token permissions (#546)

komish · web-flow · commit d5ae17d69376 · 2025-10-17T11:30:18.000-05:00
Signed-off-by: Jose R. Gonzalez &lt;komish@flutes.dev&gt;
diff --git a/.github/workflows/gosec.yaml b/.github/workflows/gosec.yaml
@@ -1,4 +1,4 @@
-name: Run Security Scan
+name: GoSec
 
 on:
   push:
@@ -9,26 +9,29 @@ on:
 jobs:
   scan:
     runs-on: ubuntu-latest
-
+    permissions:
+      # required for all workflows
+      security-events: write
+      contents: read
     steps:
+
       - name: Checkout repository
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
 
-      - name: Run Gosec Security Scanner
+      - name: Security scan
+        shell: bash
         run: |
-          export PATH=$PATH:$(go env GOPATH)/bin
-          go install github.com/securego/gosec/v2/cmd/gosec@latest
-          make gosec
-          if [[ $? != 0 ]]
-          then
-            echo "gosec scanner failed to run "
-            exit 1
-          fi
+            make gosec
+            if [[ $? != 0 ]]
+            then
+              echo "gosec scanner failed to run "
+              exit 1
+            fi
 
       - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@76621b61decf072c1cee8dd1ce2d2a82d33c17ed # v3.29.8
+        uses: github/codeql-action/upload-sarif@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # v4.30.8
         if: always()
         with:
           # Path to SARIF file relative to the root of the repository
diff --git a/Makefile b/Makefile
@@ -85,7 +85,8 @@ push-image:
 
 .PHONY: gosec
 gosec: install.gosec
-	$(GOSEC) -no-fail -fmt=sarif -out=gosec.sarif -exclude-dir tests ./...
+	$(GOSEC) -no-fail -fmt=sarif -out=gosec.sarif -exclude-dir tests --exclude G304 ./...
+	# excluding rule G304 because hits currently produce an invalid SARIF.
 
 ### Python Specific Targets
 PY_BIN ?= python3
@@ -147,7 +148,7 @@ venv.tools.always-reinstall:
 ### Developer Tooling Installation
 # gosec
 GOSEC = $(shell pwd)/out/gosec
-GOSEC_VERSION ?= latest
+GOSEC_VERSION ?= 6be2b51fd78feca86af91f5186b7964d76cb1256 # v2.22.10
 install.gosec: 
 	$(call go-install-tool,$(GOSEC),github.com/securego/gosec/v2/cmd/gosec@$(GOSEC_VERSION))
 
