πŸ’ΈSave up to $132K/month in CI costs!πŸ‘‰ Try Free✨
Skip to main content
← Back to workflows

How to Secure Your Go Projects in GitHub Actions?

securego/gosec -
GitHub Action
v2.19.0
7,757
Contributors
Contributor - ccojocarContributor - gcmurphy
Categories
GitHub
Security

Optimize Your CI/CD Pipeline

Get instant insights into your CI/CD performance and costs. Reduce build times by up to 45% and save on infrastructure costs.

45% Faster Builds
60% Cost Reduction
View Documentation β†’
Usage
name: Run Gosec
on:
  push:
    branches:
      - master
  pull_request:
    branches:
      - master
jobs:
  tests:
    runs-on: ubuntu-latest
    env:
      GO111MODULE: on
    steps:
      - name: Checkout Source
        uses: actions/checkout@v3
      - name: Run Gosec Security Scanner
        uses: securego/gosec@master
        with:
          args: ./...

gosec - Go Security Checker

Inspects source code for security problems by scanning the Go AST and SSA code representation.

What is gosec?​

gosec is a tool designed to enhance security in Go projects by scanning code and detecting secrets or sensitive information that might have been exposed accidentally. It analyzes the code statically and is particularly handy for ensuring our projects remain secure throughout the development lifecycle.

Why do we need gosec?​

Using gosec, especially integrated within GitHub Actions, streamlines our security checks. It automatically scans new code commits for security issues before merging them into the main branch. This preemptive approach helps prevent potential security vulnerabilities from becoming real issues in production.

Code Scanning with gosec​

The provided YAML code demonstrates how to integrate third-party code analysis tools with GitHub code scanning by uploading data as SARIF files. It includes a GitHub action workflow example that incorporates the gosec security scanner and uploads the results.sarif file to GitHub using the upload-sarif action.

name: "Security Scan Workflow"

# Trigger the workflow on code pushes and scheduled runs.
# Scheduled runs occur every Sunday at 00:00 UTC.
on:
  push:
  schedule:
    - cron: '0 0 * * 0'

jobs:
  security_scan:
    runs-on: ubuntu-latest
    env:
      GO111MODULE: on
    steps:
      - name: Checkout Repository
        uses: actions/checkout@v3
      - name: Run Gosec Security Scanner
        uses: securego/gosec@master
        with:
          # Ensure that the report triggers content failures using GitHub Security features.
          args: '-no-fail -fmt sarif -out results.sarif ./...'
      - name: Upload SARIF Results
        uses: github/codeql-action/upload-sarif@v2
        with:
          # Specify the path to the SARIF file relative to the root of the repository.
          sarif_file: results.sarif

This workflow runs the security scan on every push to the repository and on a scheduled basis. It checks for security vulnerabilities using the gosec security scanner and uploads the results in SARIF format to GitHub for further analysis.

Integrating gosec could significantly enhance our project's security posture by providing ongoing checks against common vulnerabilities and misconfigurations. It’s straightforward to set up and can be customized to fit our project needs.