Skip to content

build: capture govulncheck results as Code Scanning alerts #2084

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jamietanna merged 1 commit into from
Sep 11, 2025
Merged

build: capture govulncheck results as Code Scanning alerts #2084

jamietanna merged 1 commit into from
Sep 11, 2025

Conversation

@jamietanna
Copy link
Member

@jamietanna jamietanna commented Sep 10, 2025
edited
Loading

Related to 0 and regular questions we've had in the past, we don't
have a clear answer for "are we vulnerable to a CVE" in a way that our
users are clearly able to determine, as well as "will oapi-codegen fix
it".

As a step towards answering the former, and leading towards the latter,
we can start running govulncheck in CI as a way to ensure that we
always have that information to hand.

This will re-run on commits to HEAD, as well as on a schedule, to make
sure we're aware of new CVEs.

By producing this in SARIF format, we can then have this uploaded to
GitHub's Code Scanning alerts, which are more straightforward to
validate.

The Code Scanning alerts page is gated to maintainers, but doesn't
(currently) hide anything that can't be seen by someone running
govulncheck themselves on the project.

We also make sure to explicitly note what permissions are required to
handle the workflow.

@kusari-inspector
Copy link

kusari-inspector bot commented Sep 10, 2025
edited
Loading

Kusari Inspector

Kusari Analysis Results:

Proceed with these changes

✅ No Flagged Issues Detected
All values appear to be within acceptable risk parameters.

Combined security analysis shows no actual vulnerabilities or security concerns. Both dependency and code analyses found clean results. The single detection was correctly identified as a false positive - a commit-pinned GitHub Action reference representing security best practices, not an exposed secret. No dependency issues, code vulnerabilities, or workflow problems were detected across both analyses.

Note

View full detailed analysis result for more information on the output and the checks that were run.

@kusari-inspector rerun - Trigger a re-analysis of this PR
@kusari-inspector feedback [your message] - Send feedback to our AI and team
See Kusari's documentation for setup and configuration.
Commit: af833ea, performed at: 2025-09-11T10:54:58Z

Found this helpful? Give it a 👍 or 👎 reaction!

kusari-inspector[bot]
kusari-inspector bot reviewed Sep 10, 2025
View reviewed changes
kusari-inspector[bot]
kusari-inspector bot reviewed Sep 10, 2025
View reviewed changes
@jamietanna jamietanna mentioned this pull request Sep 10, 2025
Open
jamietanna
jamietanna commented Sep 10, 2025
View reviewed changes
@jamietanna
Copy link
Member Author

jamietanna commented Sep 10, 2025

@kusari-inspector feedback if we can get "Recommended Code Changes" being provided as:

```suggestion

blocks, that'd be easier to accept changes!

@kusari-inspector
Copy link

kusari-inspector bot commented Sep 10, 2025

Thank you for your feedback! 📝 Your message has been submitted for review.

@kusari-inspector
Copy link

kusari-inspector bot commented Sep 11, 2025

Kusari PR Analysis rerun based on - 86cedaa performed at: 2025-09-11T10:46:03Z - link to updated analysis

@jamietanna
build: capture govulncheck results as Code Scanning alerts
af833ea 
Related to [0] and regular questions we've had in the past, we don't
have a clear answer for "are we vulnerable to a CVE" in a way that our
users are clearly able to determine, as well as "will oapi-codegen fix
it".

As a step towards answering the former, and leading towards the latter,
we can start running `govulncheck` in CI as a way to ensure that we
always have that information to hand.

This will re-run on commits to HEAD, as well as on a schedule, to make
sure we're aware of new CVEs.

By producing this in SARIF format, we can then have this uploaded to
GitHub's Code Scanning alerts, which are more straightforward to
validate.

The Code Scanning alerts page is gated to maintainers, but doesn't
(currently) hide anything that can't be seen by someone running
`govulncheck` themselves on the project.

We also make sure to explicitly note what permissions are required to
handle the workflow.

[0]: oapi-codegen/governance#11
@jamietanna jamietanna marked this pull request as ready for review September 11, 2025 10:54
@jamietanna jamietanna requested a review from a team as a code owner September 11, 2025 10:54
@kusari-inspector
Copy link

kusari-inspector bot commented Sep 11, 2025

Kusari PR Analysis rerun based on - af833ea performed at: 2025-09-11T10:55:34Z - link to updated analysis

@jamietanna jamietanna merged commit 3eff0a2 into main Sep 11, 2025
43 checks passed
@jamietanna jamietanna deleted the build/govulncheck branch September 11, 2025 11:08
@jamietanna jamietanna added the chore Any maintenance tasks that are regular, not as important to call out in the changelog label Nov 1, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@kusari-inspector kusari-inspector[bot] kusari-inspector[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

chore Any maintenance tasks that are regular, not as important to call out in the changelog

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jamietanna