Skip to content

ci: add Go vulnerability scanning with govulncheck and gosec #310

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
giwaov wants to merge 1 commit into
base: main
Choose a base branch
from
Open

ci: add Go vulnerability scanning with govulncheck and gosec #310

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
55 changes: 55 additions & 0 deletions .github/workflows/go-vuln-scan.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
name: Go Vulnerability Scan

on:
push:
branches:
- main
paths:
- "**.go"
- "go.mod"
- "go.sum"
pull_request:
paths:
- "**.go"
- "go.mod"
- "go.sum"
schedule:
# Run weekly on Monday at 08:00 UTC to catch newly disclosed vulnerabilities
- cron: "0 8 * * 1"

permissions:
contents: read

jobs:
govulncheck:
name: govulncheck
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4

- uses: actions/setup-go@v5
with:
go-version: "1.24"
check-latest: true

- name: Install govulncheck
run: go install golang.org/x/vuln/cmd/govulncheck@latest
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Installing govulncheck with @latest makes the CI run non-reproducible and can cause unexpected failures when upstream releases change behavior. Prefer pinning to a specific govulncheck version (or a known-good commit) and updating it intentionally.

Suggested change
run: go install golang.org/x/vuln/cmd/govulncheck@latest
run: go install golang.org/x/vuln/cmd/govulncheck@v1.1.0

Copilot uses AI. Check for mistakes.

- name: Run govulncheck
run: govulncheck ./...

gosec:
name: gosec
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4

- uses: actions/setup-go@v5
with:
go-version: "1.24"
check-latest: true

- name: Run gosec
uses: securego/gosec@master
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The workflow pins the gosec action to securego/gosec@master, which is a moving target and can introduce supply-chain risk and non-reproducible CI behavior. Pin this to a tagged release or (preferably) a specific commit SHA, and consider using Dependabot to keep it updated.

Suggested change
uses: securego/gosec@master
uses: securego/gosec@v2.21.0

Copilot uses AI. Check for mistakes.
with:
args: -severity high -confidence medium -exclude-generated ./...
4 changes: 4 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,10 @@

## Unreleased

### Added

- Add Go vulnerability scanning CI workflow using `govulncheck` and `gosec` ([#65](https://github.com/KiiChain/kiichain/issues/65))

### Fixed

- Fix division-by-zero chain halt in `CalculateReward` caused by sub-second schedule durations; replace `Seconds()` truncation with `Nanoseconds()` precision and release full remaining reward when `EndTime <= LastReleaseTime` ([#267](https://github.com/KiiChain/kiichain/issues/267))
Expand Down
Loading