jfraeysd/fetch_ml
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1
fetch_ml/.forgejo/workflows/security-scan.yml

90 lines
2.2 KiB
YAML
Raw Blame History

name: Security Scan
on:
push:
branches: [main, develop]
pull_request:
branches: [main, develop]
jobs:
security:
name: Security Analysis
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Go
uses: actions/setup-go@v5
with:
go-version: '1.25'
- name: Run govulncheck
uses: golang/govulncheck-action@v1
with:
go-version-input: '1.25'
go-package: ./...
- name: Run gosec
uses: securego/gosec@master
with:
args: '-fmt sarif -out gosec-results.sarif ./...'
- name: Upload gosec results
uses: actions/upload-artifact@v4
if: always()
with:
name: gosec-results
path: gosec-results.sarif
- name: Check for unsafe package usage
run: |
if grep -r "unsafe\." --include="*.go" ./internal ./cmd ./pkg 2>/dev/null; then
echo "ERROR: unsafe package usage detected"
exit 1
fi
echo "No unsafe package usage found"
- name: Verify dependencies
run: |
go mod verify
echo "Go modules verified"
native-security:
name: Native Library Security
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Install dependencies
run: |
sudo apt-get update
sudo apt-get install -y cmake build-essential
- name: Build with AddressSanitizer
run: |
cd native
mkdir -p build
cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug -DENABLE_ASAN=ON
make -j$(nproc)
- name: Run tests with ASan
run: |
cd native/build
ASAN_OPTIONS=detect_leaks=1 ctest --output-on-failure
- name: Build with UndefinedBehaviorSanitizer
run: |
cd native
rm -rf build
mkdir -p build
cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug -DCMAKE_C_FLAGS="-fsanitize=undefined" -DCMAKE_CXX_FLAGS="-fsanitize=undefined"
make -j$(nproc)
- name: Run tests with UBSan
run: |
cd native/build
ctest --output-on-failure
Reference in a new issue View git blame Copy permalink