gosec.yml

name: CI gosec
permissions:
  # required for all workflows
  security-events: write
  # only required for workflows in private repositories
  actions: read
  contents: read
on:
  push:
    branches: [ "*" ]
  pull_request:
    branches: [ "*" ]

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  tests:
    runs-on: ubuntu-20.04
    env:
      GO111MODULE: on
    steps:
      - name: Checkout Source
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
        with:
          go-version-file: 'go.mod'
      - name: Run Gosec Security Scanner
        uses: securego/gosec@d4617f51baf75f4f809066386a4f9d27b3ac3e46 # v2.21.4
        with:
          args:  '-no-fail -fmt sarif -out gosec.sarif ./...'
      - name: Upload SARIF file
        uses: github/codeql-action/upload-sarif@c4fb451437765abf5018c6fbf22cce1a7da1e5cc
        with:
          sarif_file: gosec.sarif