Skip to content

Dependency Scanning #191

Dependency Scanning

Dependency Scanning #191

name: Dependency Scanning
on:
push:
branches: [main]
paths:
- 'go.mod'
- 'go.sum'
- '.github/workflows/dependency-scan.yml'
pull_request:
branches: [main]
paths:
- 'go.mod'
- 'go.sum'
- '.github/workflows/dependency-scan.yml'
schedule:
# Run weekly on Monday at 6:00 UTC
- cron: '0 6 * * 1'
workflow_dispatch:
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
permissions:
contents: read
security-events: write
pull-requests: write
jobs:
# Dependency review (for PRs only)
dependency-review:
name: Dependency Review
runs-on: qnap-nas
if: github.event_name == 'pull_request'
steps:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- name: Dependency Review
uses: actions/dependency-review-action@4901385134134e04cec5fbe5ddfe3b2c5bd5d976 # v4
with:
fail-on-severity: high
allow-licenses: Apache-2.0, MIT, BSD-2-Clause, BSD-3-Clause, ISC, MPL-2.0, CC0-1.0, Unlicense
comment-summary-in-pr: true
# Trivy vulnerability scanner for dependencies
trivy-scan:
name: Trivy Vulnerability Scan
runs-on: qnap-nas
steps:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # master
with:
scan-type: 'fs'
scan-ref: '.'
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
- name: Upload Trivy results to GitHub Security
uses: github/codeql-action/upload-sarif@dd677812177e0c29f9c970a6c58d8607ae1bfefd # v4
if: always()
with:
sarif_file: 'trivy-results.sarif'
- name: Run Trivy with JSON output
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # master
with:
scan-type: 'fs'
scan-ref: '.'
format: 'json'
output: 'trivy-report.json'
severity: 'CRITICAL,HIGH,MEDIUM'
- name: Upload Trivy report artifact
if: always()
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
with:
name: trivy-report
path: trivy-report.json
retention-days: 30
# Check for outdated dependencies (scheduled/manual only)
outdated-check:
name: Check Outdated Dependencies
runs-on: qnap-nas
if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
steps:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- name: Set up Go
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
with:
go-version-file: 'go.mod'
cache: true
- name: Check for outdated dependencies
run: |
echo "=== Checking for outdated dependencies ==="
go list -u -m -json all | jq -r 'select(.Update != null) | "\(.Path): \(.Version) -> \(.Update.Version)"' > outdated.txt
if [ -s outdated.txt ]; then
echo "Outdated dependencies found:"
cat outdated.txt
else
echo "All dependencies are up to date"
fi
- name: Upload outdated dependencies list
if: always()
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
with:
name: outdated-dependencies
path: outdated.txt
retention-days: 7
# Security summary
summary:
name: Security Summary
runs-on: qnap-nas
needs: [trivy-scan]
if: always()
steps:
- name: Create security summary
env:
TRIVY_RESULT: ${{ needs.trivy-scan.result }}
run: |
echo "# Dependency Security Summary" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "## Scan Results" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "| Scanner | Status |" >> $GITHUB_STEP_SUMMARY
echo "|---------|--------|" >> $GITHUB_STEP_SUMMARY
if [ "$TRIVY_RESULT" = "success" ]; then
echo "| Trivy | Passed |" >> $GITHUB_STEP_SUMMARY
else
echo "| Trivy | Issues Found |" >> $GITHUB_STEP_SUMMARY
fi
echo "" >> $GITHUB_STEP_SUMMARY
echo "Detailed reports are available in the workflow artifacts." >> $GITHUB_STEP_SUMMARY