From 2a6e4ed417b522334dc62aad389f27ca320fccc5 Mon Sep 17 00:00:00 2001 From: "Mark S. Lewis" Date: Fri, 14 Feb 2025 11:42:08 +0000 Subject: [PATCH] Run vulnerability scan on latest release tags Vulnerability scans were previously run on the latest state of currently developed branches. This provided assurance that the current branch state did not contain known vulnerabilities in dependencies, but did not provide assurance that the currently released code was free of vulnerabilities. This change runs vulnerability scans on the most recent release version tag for currently developed branches. Scan failures now indicate that a new release is required to address vulnerabilities in dependencies. Signed-off-by: Mark S. Lewis --- .github/workflows/vulnerability-scan.yml | 15 +++++++++++++-- Makefile | 2 +- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/.github/workflows/vulnerability-scan.yml b/.github/workflows/vulnerability-scan.yml index d506182dc51..0a2857d6aa9 100644 --- a/.github/workflows/vulnerability-scan.yml +++ b/.github/workflows/vulnerability-scan.yml @@ -24,12 +24,23 @@ jobs: - main - release-2.5 steps: - - uses: actions/checkout@v4 + - name: Checkout ${{ matrix.ref }} branch + uses: actions/checkout@v4 with: ref: ${{ matrix.ref }} + fetch-depth: 0 + - name: Get latest release tag + id: latest-release + run: echo "tag=$(git -c versionsort.suffix=- tag --merged HEAD --sort=-version:refname | head -1)" >> "${GITHUB_OUTPUT}" + - name: Checkout ${{ steps.latest-release.outputs.tag }} + uses: actions/checkout@v4 + with: + ref: ${{ steps.latest-release.outputs.tag }} - name: Set up Go uses: actions/setup-go@v5 with: - go-version: 1.24.0 + # Always use the latest Go release to avoid false positives from older + # versions of the Go standard library + go-version: stable - name: Scan run: make scan diff --git a/Makefile b/Makefile index 862471612d7..f5f14e2a1f2 100644 --- a/Makefile +++ b/Makefile @@ -376,4 +376,4 @@ scan: scan-govulncheck ## Run all security scans .PHONY: scan-govulncheck scan-govulncheck: gotool.govulncheck ## Run gosec security scan - govulncheck ./... + govulncheck -show verbose ./...