{"id":21572265,"url":"https://github.com/templum/govulncheck-action","last_synced_at":"2025-10-08T19:33:26.886Z","repository":{"id":59037833,"uuid":"534980624","full_name":"Templum/govulncheck-action","owner":"Templum","description":"This action uses govulncheck to perform a scan of the code, afterwards it will parse the output and transform it into an Sarif Report, which will be uploaded to Github using the code-scanning API.","archived":false,"fork":false,"pushed_at":"2023-12-19T17:39:23.000Z","size":321,"stargazers_count":21,"open_issues_count":0,"forks_count":9,"subscribers_count":3,"default_branch":"main","last_synced_at":"2023-12-20T12:22:54.775Z","etag":null,"topics":["code-scanner","github-actions","go","golang","golang-tools","sarif-report","security-tools"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Templum.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2022-09-10T11:42:52.000Z","updated_at":"2024-02-06T14:09:26.384Z","dependencies_parsed_at":"2023-10-12T15:45:15.378Z","dependency_job_id":"758ca078-d981-4c60-ae6f-08b85e345123","html_url":"https://github.com/Templum/govulncheck-action","commit_stats":{"total_commits":56,"total_committers":3,"mean_commits":"18.666666666666668","dds":0.1607142857142857,"last_synced_commit":"b61c13d076bcc30ddf10cc780d739aaeaf69c9b4"},"previous_names":[],"tags_count":17,"template":null,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Templum%2Fgovulncheck-action","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Templum%2Fgovulncheck-action/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Templum%2Fgovulncheck-action/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Templum%2Fgovulncheck-action/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Templum","download_url":"https://codeload.github.com/Templum/govulncheck-action/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248233935,"owners_count":21069493,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["code-scanner","github-actions","go","golang","golang-tools","sarif-report","security-tools"],"created_at":"2024-11-24T11:18:45.404Z","updated_at":"2025-10-08T19:33:26.880Z","avatar_url":"https://github.com/Templum.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Golang Vulncheck\n\n[![CI Flow](https://github.com/Templum/govulncheck-action/actions/workflows/ci.yml/badge.svg?branch=main)](https://github.com/Templum/govulncheck-action/actions/workflows/ci.yml) [![Release Process](https://github.com/Templum/govulncheck-action/actions/workflows/release.yml/badge.svg)](https://github.com/Templum/govulncheck-action/actions/workflows/release.yml)\n\nThis action uses govulncheck to perform a scan of the code, afterwards it will parse the output and transform it into an [Sarif](https://sarifweb.azurewebsites.net/) Report, which will be uploaded to Github using the [code-scanning API](https://docs.github.com/en/rest/code-scanning#upload-an-analysis-as-sarif-data). **Please note** this requires write-permission for `security_events`. The result should then be visible within the security-tab. By default this action won't exit with a failure if a vulnerability was found, but it can be configured this way.\n\n## :information_source: Limitations of govulncheck :information_source:\n\nFor a full list of currently known limitations please head over to [here](https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck#hdr-Limitations). Listed below are an important overview.\n\n* Govulncheck analyzes function pointer and interface calls conservatively, which may result in false positives or inaccurate call stacks in some cases.\n* Calls to functions made using package reflect are not visible to static analysis. Vulnerable code reachable only through those calls will not be reported.\n* There is no support for silencing vulnerability findings.\n\n## :books: Useful links \u0026 resources on govulncheck :books:\n\n* Official Package Documentation: [Link](https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck)\n* Introduction Blogpost: [Link](https://go.dev/blog/vuln)\n\n## Usage\n\n\u003cdetails\u003e\n  \u003csummary\u003e\n  Where can I find the scan results of this action ?\n  \u003c/summary\u003e\n\nPlease be aware there will be no direct output to the console, all found vulnerabilities will be reported to Github via an Sarif Report. Therefore all findings should be located in the *Security*-Tab under the *Code Scanning*-Section.\n\n![Locating Code Scanning](docs/locate_results.png)\n\n![Result List](docs/results.png)\n\n\u003c/details\u003e\n\n### Example Workflows\n\n\u003cdetails\u003e\n  \u003csummary\u003e\n  This configuration uses a different version of go (1.18) scans ./... and will fail if at least one vulnerability was found.\n  \u003c/summary\u003e\n\n  \u003e :warning: Choosing `vulncheck-version: latest` can include breaking changes to the JSON format, which will break this action.\n\n```yaml\nname: My Workflow\non: [push, pull_request]\njobs:\n  build:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v3\n      - name: Scan for Vulnerabilities in Code\n        uses: Templum/govulncheck-action@\u003cversion\u003e\n        with:\n          go-version: 1.18\n          vulncheck-version: latest\n          package: ./...\n          fail-on-vuln: true\n```\n\u003c/details\u003e\n\n\u003cdetails\u003e\n  \u003csummary\u003e\n  Example configuration for repository that relies on a private library.\n  \u003c/summary\u003e\n\n\u003e :information_source: This action for the moment works with [personal access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) while creating one make sure it has write-read access to the dependent repositories as this is required for `$ go get`. Further following best practices create the token with the smallest possible scope.\n\n```yaml\nname: My Workflow\non: [push, pull_request]\njobs:\n  build:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v3\n      - name: Scan for Vulnerabilities in Code\n        uses: Templum/govulncheck-action@\u003cversion\u003e\n        env:\n          GH_PAT_TOKEN: ${{ secrets.PAT_TOKEN }}\n          GOPRIVATE: \"github.com/your-name/private-lib\"\n\n```\n\u003c/details\u003e\n\n\u003cdetails\u003e\n  \u003csummary\u003e\n  This configuration uses most of the default values, which are specified below. However it skips the upload to Github and instead uses the upload-artifact-action to upload the result directly as build artifact.\n  \u003c/summary\u003e\n\n```yaml\nname: My Workflow\non: [push, pull_request]\njobs:\n  build:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v3\n      - name: Scan for Vulnerabilities in Code\n        uses: Templum/govulncheck-action@\u003cversion\u003e\n        with:\n          skip-upload: true\n      - name: Upload Sarif Report\n        uses: actions/upload-artifact@v3\n        with:\n          name: sarif-report\n          path: govulncheck-report.sarif\n```\n\u003c/details\u003e\n\n\u003cdetails\u003e\n  \u003csummary\u003e\n  This configuration shows how to grant required permissions to the action in case you run into permission issues.\n  \u003c/summary\u003e\n\n```yaml\nname: My Workflow\non: [push, pull_request]\npermissions: \n  security-events: write\njobs:\n  build:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v3\n      - name: Scan for Vulnerabilities in Code\n        uses: Templum/govulncheck-action@\u003cversion\u003e\n```\n\u003c/details\u003e\n\n\u003cdetails\u003e\n  \u003csummary\u003e\n  The following configuration sets the action into DEBUG Mode. Which features verbose logging and allows access to the raw govulncheck JSON report.\n  \u003c/summary\u003e\n\n```yaml\nname: My Debug Workflow\non: [push, pull_request]\njobs:\n  build:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v3\n      - name: Scan for Vulnerabilities in Code\n        uses: Templum/govulncheck-action@\u003cversion\u003e\n        with:\n          skip-upload: true\n        env:\n          DEBUG: \"true\"\n      - name: Upload Report\n        uses: actions/upload-artifact@v3\n        with:\n          name: raw-report\n          path: raw-report.json\n```\n\u003c/details\u003e\n\n### Inputs\n\n| Input                            | Description                                                                                                    |\n|----------------------------------|----------------------------------------------------------------------------------------------------------------|\n| `go-version` _(optional)_        | Version of Go used for scanning the code, should equal *your* runtime version. Defaults to `1.24.2`            |\n| `vulncheck-version` _(optional)_ | Version of govulncheck that should be used, by default `v1.0.0`                                                |\n| `package` _(optional)_           | The package you want to scan, by default will be `./...`                                                       |\n| `working-directory` _(optional)_ | The working directory, from where the scan should start, by default will be `github.workspace`                 |\n| `github-token` _(optional)_      | Github Token to upload sarif report. **Needs** `write` permissions for `security_events`                       |\n| `fail-on-vuln` _(optional)_      | This allows you to specify if the action should fail on encountering any vulnerability, by default it will not |\n| `skip-upload` _(optional)_       | This flag allows you to skip the sarif upload, it will be instead written to disk as `govulncheck-report.sarif`|\n\n\u003e :warning: Please be aware that go-version should be a valid tag name for the [golang dockerhub image](https://hub.docker.com/_/golang/tags).\n\n\u003e :lock: Please be aware if the token is not specified it uses `github.token` for more details on that check [those docs](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token)","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftemplum%2Fgovulncheck-action","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftemplum%2Fgovulncheck-action","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftemplum%2Fgovulncheck-action/lists"}