ci: bump the github-actions group across 1 directory with 4 updates #310

Workflow file for this run

.github/workflows/security.yml at fc84954

	name: Security

	on:
	workflow_call:
	push:
	branches: [master]
	pull_request:
	branches: [master]
	schedule:
	- cron: '0 6 * * 1'

	permissions: {}

	jobs:
	secrets:
	name: Secret scanning
	runs-on: ubuntu-latest
	permissions:
	contents: read
	steps:
	- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	fetch-depth: 0
	persist-credentials: false
	- name: Install gitleaks
	run: \|
	curl -sSfL https://github.com/gitleaks/gitleaks/releases/download/v8.21.2/gitleaks_8.21.2_linux_x64.tar.gz \| tar -xz
	sudo mv gitleaks /usr/local/bin/
	- name: Run gitleaks
	run: gitleaks detect --source . --verbose

	trivy:
	name: Trivy vulnerability scan
	runs-on: ubuntu-latest
	permissions:
	contents: read
	security-events: write
	if: github.event_name != 'pull_request'
	steps:
	- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	persist-credentials: false
	- uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # 0.36.0
	with:
	scan-type: fs
	format: sarif
	output: trivy-results.sarif
	- uses: github/codeql-action/upload-sarif@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3
	with:
	sarif_file: trivy-results.sarif
	category: trivy

	gosec:
	name: Go security analysis
	runs-on: ubuntu-latest
	permissions:
	contents: read
	security-events: write
	if: github.event_name != 'pull_request'
	steps:
	- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	persist-credentials: false
	- uses: securego/gosec@4a3bd8af174872c778439083ded7adbf3747e770 # v2.26.1
	with:
	args: -no-fail -exclude=G304,G401,G501 -exclude-dir=e2e -fmt sarif -out gosec-results.sarif ./...
	- uses: github/codeql-action/upload-sarif@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3
	with:
	sarif_file: gosec-results.sarif
	category: gosec

	dependency-review:
	name: Dependency review
	runs-on: ubuntu-latest
	permissions:
	contents: read
	if: github.event_name == 'pull_request'
	steps:
	- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	persist-credentials: false
	- uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ci: bump the github-actions group across 1 directory with 4 updates #310

Workflow file

ci: bump the github-actions group across 1 directory with 4 updates #310

Uh oh!

Workflow file for this run