From c728e04711f9e5897792cc42ac83ff1904a2c55b Mon Sep 17 00:00:00 2001 From: Mohamed Chiheb Ben Jemaa Date: Wed, 28 May 2025 11:52:06 +0200 Subject: [PATCH 1/2] ADD govluncheck action --- .github/workflows/vulncheck.yml | 30 ++++++++++++++++++++++++++++++ Makefile | 13 +++++++++++++ 2 files changed, 43 insertions(+) create mode 100644 .github/workflows/vulncheck.yml diff --git a/.github/workflows/vulncheck.yml b/.github/workflows/vulncheck.yml new file mode 100644 index 00000000..61281a1e --- /dev/null +++ b/.github/workflows/vulncheck.yml @@ -0,0 +1,30 @@ +name: Vulnerability Check +on: [ pull_request ] + +permissions: + # Required: allow read access to the content for analysis. + contents: write + # Optional: Allow write access to checks to allow the action to annotate code in the PR. + checks: write + +jobs: + govulncheck: + name: vulncheck + runs-on: ubuntu-latest + steps: + - id: govulncheck + uses: golang/govulncheck-action@v1 + with: + go-version-file: go.mod + go-package: ./... + repo-checkout: true + output-format: text + output-file: govulncheck.out + + - name: PR comment with file + uses: thollander/actions-comment-pull-request@v2 + if: github.event_name == 'pull_request' + with: + filePath: govulncheck.out + comment_tag: Vulnerability Check + mode: "recreate" diff --git a/Makefile b/Makefile index c8d3614f..c6c962af 100644 --- a/Makefile +++ b/Makefile @@ -142,6 +142,10 @@ verify-gen: generate manifests mockgen ## Verify go generated files and CRDs are echo "generated files are out of date, run make generate and/or make mockgen"; exit 1; \ fi +.PHONY: vuln-check +vuln-check: govulncheck ## Run govulncheck to check for known vulnerabilities in the code. + $(GOVULNCHECK) ./... + ##@ Deployment @@ -177,12 +181,15 @@ $(LOCALBIN): KUSTOMIZE ?= $(LOCALBIN)/kustomize CONTROLLER_GEN ?= $(LOCALBIN)/controller-gen ENVTEST ?= $(LOCALBIN)/setup-envtest +GOVULNCHECK ?= $(LOCALBIN)/govulncheck ## Tool Versions KUSTOMIZE_VERSION ?= v5.0.0 CONTROLLER_TOOLS_VERSION ?= v0.16.5 ENVTEST_VERSION ?= latest +GOVULNCHECK_VERSION ?= latest + KUSTOMIZE_INSTALL_SCRIPT ?= "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" .PHONY: kustomize kustomize: $(KUSTOMIZE) ## Download kustomize locally if necessary. If wrong version is installed, it will be removed before downloading. @@ -204,6 +211,12 @@ envtest: $(ENVTEST) ## Download envtest-setup locally if necessary. $(ENVTEST): $(LOCALBIN) test -s $(LOCALBIN)/setup-envtest || GOBIN=$(LOCALBIN) go install sigs.k8s.io/controller-runtime/tools/setup-envtest@$(ENVTEST_VERSION) +.PHONY: govulncheck +govulncheck: $(GOVULNCHECK) ## Download govulncheck locally if necessary. If wrong version is installed, it will be overwritten. +$(GOVULNCHECK): $(LOCALBIN) + test -s $(LOCALBIN)/govulncheck && $(LOCALBIN)/govulncheck --version | grep -q $(GOVULNCHECK_VERSION) || \ + GOBIN=$(LOCALBIN) go install golang.org/x/vuln/cmd/govulncheck@$(GOVULNCHECK_VERSION) + ##@ Test .PHONY: tilt-up From 660c7c396a98c991137254176f7749560c86fa33 Mon Sep 17 00:00:00 2001 From: Mohamed Chiheb Ben Jemaa Date: Wed, 28 May 2025 11:57:38 +0200 Subject: [PATCH 2/2] add permissions --- .github/workflows/vulncheck.yml | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/.github/workflows/vulncheck.yml b/.github/workflows/vulncheck.yml index 61281a1e..6c2c453b 100644 --- a/.github/workflows/vulncheck.yml +++ b/.github/workflows/vulncheck.yml @@ -1,16 +1,11 @@ name: Vulnerability Check on: [ pull_request ] -permissions: - # Required: allow read access to the content for analysis. - contents: write - # Optional: Allow write access to checks to allow the action to annotate code in the PR. - checks: write - jobs: govulncheck: name: vulncheck runs-on: ubuntu-latest + permissions: write-all steps: - id: govulncheck uses: golang/govulncheck-action@v1