Security Scan #3691
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
| name: Security Scan | |
| on: | |
| workflow_call: | |
| workflow_dispatch: | |
| push: | |
| branches: [ main ] | |
| pull_request: | |
| branches: [ main ] | |
| schedule: | |
| # Run daily at 2 AM UTC | |
| - cron: '0 2 * * *' | |
| permissions: | |
| contents: read | |
| security-events: write | |
| jobs: | |
| trivy-repo-scan: | |
| name: Trivy Repository Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 | |
| - name: Run Trivy vulnerability scanner in repo mode | |
| uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1 | |
| with: | |
| scan-type: 'fs' | |
| scan-ref: '.' | |
| format: 'sarif' | |
| output: 'trivy-results.sarif' | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v4 | |
| if: always() | |
| with: | |
| sarif_file: 'trivy-results.sarif' | |
| trivy-config-scan: | |
| name: Trivy Configuration Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 | |
| - name: Run Trivy configuration scanner | |
| uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1 | |
| with: | |
| scan-type: 'config' | |
| scan-ref: './deploy/charts' | |
| format: 'sarif' | |
| output: 'trivy-config-results.sarif' | |
| - name: Upload Trivy config scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v4 | |
| if: always() | |
| with: | |
| sarif_file: 'trivy-config-results.sarif' | |
| govulncheck: | |
| name: Go Vulnerability Check | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 | |
| - name: Run govulncheck | |
| uses: golang/govulncheck-action@v1 | |
| with: | |
| go-version-input: '' | |
| go-version-file: go.mod | |
| go-package: ./... | |
| repo-checkout: false | |
| output-format: json | |
| output-file: govulncheck-output.json | |
| - name: Check for vulnerabilities (with exclusions) | |
| run: | | |
| # Ignored vulnerabilities with justification: | |
| # GO-2025-4192: sigstore/timestamp-authority excessive memory allocation (CVE-2025-66564) | |
| # Indirect dependency via sigstore-go (used for container signature verification). | |
| # The vulnerability affects timestamp-authority server request parsing endpoints. | |
| # ToolHive only uses sigstore-go as a client to verify signatures, it does not | |
| # expose any timestamp-authority server endpoints. Fix requires sigstore-go to | |
| # upgrade to timestamp-authority/v2 which hasn't been released yet. | |
| IGNORED_VULNS="GO-2025-4192" | |
| # Show the raw output for debugging | |
| echo "::group::govulncheck raw output" | |
| cat govulncheck-output.json | |
| echo "::endgroup::" | |
| # Extract vulnerability IDs that have actual findings (called symbols) | |
| # The JSON has "finding" objects with "osv" field only for vulnerabilities | |
| # where vulnerable code paths are actually called | |
| FOUND_VULNS=$(jq -r 'select(.finding != null) | .finding.osv' govulncheck-output.json | sort -u | grep -E '^GO-' || true) | |
| if [ -z "$FOUND_VULNS" ]; then | |
| echo "✅ No vulnerabilities found" | |
| exit 0 | |
| fi | |
| echo "Found vulnerabilities: $FOUND_VULNS" | |
| # Check if all found vulnerabilities are in the ignore list | |
| UNIGNORED="" | |
| for vuln in $FOUND_VULNS; do | |
| if ! echo "$IGNORED_VULNS" | grep -qw "$vuln"; then | |
| UNIGNORED="$UNIGNORED $vuln" | |
| fi | |
| done | |
| UNIGNORED=$(echo "$UNIGNORED" | xargs) | |
| if [ -z "$UNIGNORED" ]; then | |
| echo "⚠️ All vulnerabilities are ignored: $FOUND_VULNS" | |
| exit 0 | |
| fi | |
| echo "❌ Vulnerabilities need attention: $UNIGNORED" | |
| exit 1 |