Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add workflow to run security scan for gama's github repository #22

Open
canack opened this issue Jan 9, 2024 · 3 comments
Open

Add workflow to run security scan for gama's github repository #22

canack opened this issue Jan 9, 2024 · 3 comments
Assignees
@atilsensalduz
Labels
good first issue The great way to start contribution improvement To make it better

Comments

@canack
Copy link
Member

canack commented Jan 9, 2024

We can add an Open Source Scanner to our workflow, which will run every time we push to the PR or main branch.
@canack canack added improvement To make it better good first issue The great way to start contribution labels Jan 9, 2024
atilsensalduz added a commit to atilsensalduz/gama that referenced this issue Feb 25, 2025
@atilsensalduz
feat: add govulncheck to run security scan workflow
cbf88cf 
This commit introduces a new GitHub Actions workflow to run 'govulncheck' for security scanning of Go modules.
The workflow will automatically scan for known vulnerabilities and enhance the security posture of the repository.

References:
- Go Vulnerability Management: https://go.dev/blog/vuln
- Related Issue: termkit#22

Signed-off-by: atilsensalduz <atil.sensalduz@gmail.com>
@atilsensalduz atilsensalduz mentioned this issue Feb 25, 2025
Open
@atilsensalduz
Copy link

Hey @canack, I've created a pull request to address this issue.

The new PR introduces a GitHub Actions workflow that integrates govulncheck for automated security scanning of Go modules. This will help identify and mitigate potential vulnerabilities early in the development process.

If you’d like, you can assign this issue to me. I’d love to add more security checks to further improve the security posture of the repository.

If you have any feedback or suggestions, please feel free to share them on the PR!

Thank you

@canack
Copy link
Member Author

canack commented Feb 26, 2025

Hi @atilsensalduz , nice to see you interested to GAMA! 🍀
I'll review this evening. But how about we use "https://github.com/securego/gosec" ?
As far as I know, gosec seems better than govulncheck. What do you think? 👀

atilsensalduz added a commit to atilsensalduz/gama that referenced this issue Feb 26, 2025
@atilsensalduz
feat: add gosec to run static code analysis workflow
631f4fc 
This commit introduces a new GitHub Actions workflow to run 'gosec' for static code analysis of Go modules.
The workflow will automatically scan the source code for potential security issues and improve the security posture of the repository.

References:
- Gosec Documentation: https://github.com/securego/gosec
- Related Issue: termkit#22

Signed-off-by: atilsensalduz <atil.sensalduz@gmail.com>
atilsensalduz added a commit to atilsensalduz/gama that referenced this issue Feb 26, 2025
@atilsensalduz
feat: add gosec to run static code analysis workflow
05054b6 
This commit introduces a new GitHub Actions workflow to run 'gosec' for static code analysis of Go modules.
The workflow will automatically scan the source code for potential security issues and improve the security posture of the repository.

References:
- Gosec Documentation: https://github.com/securego/gosec
- Related Issue: termkit#22

Signed-off-by: atilsensalduz <atil.sensalduz@gmail.com>
@atilsensalduz
Copy link

Great suggestion! @canack I was also thinking about adding more security controls to the repository, and gosec is one of them.

While govulncheck focuses on checking Go module dependencies against the Go vulnerability database, gosec identifies security issues in the source code. I believe using both tools would significantly improve the security posture of the repository. And gosec already found sth 😄

Image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@atilsensalduz atilsensalduz

Labels
good first issue The great way to start contribution improvement To make it better
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@canack @atilsensalduz