Following workflows are implemented in the repository. SARIF is used to store the results for an analysis of code scanning tools in the Security tab of the repository.
| Workflow | Jobs | Trigger | SARIF upload | Description |
|---|---|---|---|---|
| codeql.yml | analyze |
push/pr to main, cron: 00 13 * * 1 |
yes | Semantic code analysis |
| dependency-review.yml | dependency-review |
pr to main |
- | Check pull request for vulnerabilities in dependencies or invalid licenses are being introduced |
| golangci-lint.yml | lint |
push/pr on * |
- | Lint Go Code |
| gosec.yml | analyze |
push/pr on * |
- | Inspects source code for security problems in Go code |
| osv-scan.yml | analyze |
push/pr to main, cron: 30 13 * * 1 |
yes | Scanning for vulnerabilites in dependencies |
| release.yml | see release chapter | push tag v* |
- | Create release with go binaries and docker container |
| scorecard.yml | analyze |
push to main, cron: 00 14 * * 1, change branch protection |
yes | Create OpenSSF analysis and create project score |
Action: https://github.com/github/codeql-action
CodeQL is a semantic code analysis engine that can find security vulnerabilities in codebases. The workflow displays security alerts in the repository's Security tab or in pull requests.
Action: https://github.com/actions/dependency-review-action
This action scans the dependency manifest files that change as part of a pull request, revealing known-vulnerable versions of the packages declared or updated in the PR. Pull requests that introduce known-vulnerable packages will be blocked from merging. It also allows you to define a list of licenses that are allowed or disallowed in the project, and will check if the PR introduces a dependency with a disallowed license. It also checks the OpenSSF scorecard for all dependencies and allows to warn if a dependency has a low score.
More information can be found in the GitHub documentation
Action: https://github.com/golangci/golangci-lint-action
GolangCI-Lint is a fast Go linters runner. It runs linters in parallel, uses caching, and works on Linux, macOS, and Windows. The workflow runs the linters on the Go code in the repository.
Action: https://github.com/securego/gosec
Gosec is a security tool that performs static code analysis of Go code. The workflow scans the Go code in the repository for security issues.
Action: https://github.com/google/osv-scanner-action
OSV-Scan is a vulnerability database and triage infrastructure for open-source projects. The OSV-Scanner finds vulnerabilities in dependencies of an project and uploads the results to the Security tab of the repository.
The release workflow includes multiple jobs to create a release of the project. Following jobs are implemented:
| Job | GitHub Action | Description |
|---|---|---|
goreleaser |
goreleaser-action | Creates the go archives & checksums file |
ko-publish |
publish-image action | Create the container images & SBOMs, sign images and upload to the GitHub registry |
binary-provenance |
generator_generic_slsa3 | Generate provenance for all release artifacts (go archives & SBOMs) |
image-provenance |
generator_container_slsa3 | Generates provenance for the container images |
verification-with-slsa-verifier |
- | Verifying the cryptographic signatures on provenance for all binary releases |
verification-with-cosign |
- | Verifying the cryptographic signatures on provenance for the container image |
This repository uses goreleaser to create all the release artifacts. GoReleaser can build and release Go binaries for multiple platforms, create archives/container images/SBOMs and more. All the configuration for the release is stored in the file .goreleaser.yml.
For all the release artifacts (*.tar.gz, *.zip, *.sbom.json), provenance is generated using the SLSA Generic Generator. The provenance file is uploaded to the release assets and can be verified using the slsa-verifier tool (see Release Verification).
The multi-arch container images are built using ko in the publish-image action and uploaded to the GitHub Container Registry. The docker image provenance is generated using the SLSA Container Generator and uploaded to the registry. The provenance can be verified using the slsa-verifier or cosign tool (see Release Verification).
Credits: The publish-image action is from Kyverno.
ko only generates a "minimal" SBOM for the container images (see comment in GitHub Issue) and lacks some information (e.g. Licensing information or the version field which is set to devel instead of the actual version).
To generate a complete SBOM for the container images, the go-gomod-generate-sbom action is used instead.
The SBOMs of the container images are uploaded to a separate package registry (see SBOM for more information).
Action: https://github.com/ossf/scorecard-action
Scorecards is a tool that provides a security score for open-source projects. The workflow runs the scorecard on the repository and uploads the results to the Security tab of the repository. There is also a report on the OpenSSF website, the link is available in the README file by clicking on the OpenSSF Scorecard badge.