.github/workflows/cve-scanner.yaml

name: Go Source Scanners
on:
  push:
    branches:
      - "master"
      - "v*.*.*"
      - "v*"
    tags:
      - "v*.*.*"
  pull_request:
    branches:
      - "master"
      - "v*.*.*"
      - "v*"

jobs:
  scanners:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v3
      - name: Setup Env
        id: vars
        shell: bash
        run: |
          echo "SHA_SHORT=$(git rev-parse --short HEAD)" >> "${GITHUB_ENV}"
      - name: Run Gosec Security Scanner
        continue-on-error: true
        uses: securego/gosec@master
        with:
          args: ./...
      - name: Run Govulncheck Scanner
        continue-on-error: true
        uses: golang/govulncheck-action@v1
        with:
          go-package: ./...
          go-version-input: "1.22"
      - name: Run Trivy vulnerability scanner in repo mode
        continue-on-error: true
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: "fs"
          ignore-unfixed: true
          format: "json"