Skip to content
Security

feat: add --from flag and default-sender, add screening new mail control from cli #180

Sign in to view logs

feat: add --from flag and default-sender, add screening new mail control from cli

feat: add --from flag and default-sender, add screening new mail control from cli #180

Workflow file for this run

.github/workflows/security.yml at 34e6da5
name: Security
on:
workflow_call:
push:
branches: [main]
pull_request:
branches: [main]
schedule:
- cron: '0 6 * * 1'
permissions: {}
jobs:
secrets:
name: Secret scanning
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
persist-credentials: false
- name: Install gitleaks
run: |
curl -sSfLo gitleaks_8.21.2_linux_x64.tar.gz https://github.com/gitleaks/gitleaks/releases/download/v8.21.2/gitleaks_8.21.2_linux_x64.tar.gz
curl -sSfLo checksums.txt https://github.com/gitleaks/gitleaks/releases/download/v8.21.2/gitleaks_8.21.2_checksums.txt
grep 'gitleaks_8.21.2_linux_x64.tar.gz' checksums.txt | sha256sum -c -
tar -xzf gitleaks_8.21.2_linux_x64.tar.gz
sudo mv gitleaks /usr/local/bin/
- name: Run gitleaks
run: gitleaks detect --source . --verbose
trivy:
name: Trivy vulnerability scan
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
if: github.event_name != 'pull_request'
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
with:
scan-type: fs
format: sarif
output: trivy-results.sarif
- uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
with:
sarif_file: trivy-results.sarif
category: trivy
gosec:
name: Go security analysis
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
if: github.event_name != 'pull_request'
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: securego/gosec@223e19b8856e00f02cc67804499a83f77e208f3c # v2.25.0
with:
args: -fmt sarif -out gosec-results.sarif ./...
- uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
with:
sarif_file: gosec-results.sarif
category: gosec
dependency-review:
name: Dependency review
runs-on: ubuntu-latest
permissions:
contents: read
if: github.event_name == 'pull_request'
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0
continue-on-error: true # requires GitHub Advanced Security (dependency graph)
codeql:
name: CodeQL analysis
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
if: github.event_name != 'pull_request'
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Set up Go
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
go-version-file: go.mod
- name: Initialize CodeQL
uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
with:
languages: go
config-file: .github/codeql/codeql-config.yml
- name: Build
run: go build ./...
- name: Perform CodeQL analysis
uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1