add govulncheck for scanning vulnerabilities

dims · dims · commit 61e50a6b558e · 2025-10-29T19:27:58.000-04:00
Signed-off-by: Davanum Srinivas &lt;dsrinivas@nvidia.com&gt;
diff --git a/.github/workflows/govulncheck.yml b/.github/workflows/govulncheck.yml
@@ -0,0 +1,113 @@
+# Copyright (c) 2025, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: Go Vulnerability Check
+
+on:
+  push:
+    branches:
+      - main
+      - "pull-request/[0-9]+"
+    paths-ignore:
+      - '**/*.md'
+      - 'docs/**'
+      - 'LICENSE'
+      - '.github/ISSUE_TEMPLATE/**'
+      - '.github/headers/**'
+    tags:
+      - 'v*'
+  workflow_dispatch:
+  schedule:
+    - cron: '0 6 * * *'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
+
+permissions:
+  contents: read
+  security-events: write
+  pull-requests: write
+
+jobs:
+  govulncheck:
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5.0.0
+
+      - name: Setup Go
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32  # v5.0.2
+        with:
+          go-version: 'stable'
+
+      - name: Install govulncheck
+        run: go install golang.org/x/vuln/cmd/govulncheck@latest
+
+      - name: Run govulncheck on all components
+        run: |
+          # Define components to check
+          declare -A components=(
+            ["data-models"]="data-models"
+            ["commons"]="commons"
+            ["platform-connectors"]="platform-connectors"
+            ["store-client-sdk"]="store-client-sdk"
+            ["health-events-analyzer"]="health-events-analyzer"
+            ["fault-quarantine-module"]="fault-quarantine-module"
+            ["fault-remediation-module"]="fault-remediation-module"
+            ["labeler-module"]="labeler-module"
+            ["node-drainer-module"]="node-drainer-module"
+            ["janitor"]="janitor"
+            ["syslog-health-monitor"]="health-monitors/syslog-health-monitor"
+            ["csp-health-monitor"]="health-monitors/csp-health-monitor"
+            ["tests"]="tests"
+            ["simple-health-client"]="tilt/simple-health-client"
+          )
+
+          failed_components=()
+          exit_code=0
+
+          echo "🔍 Running govulncheck on all components..."
+          echo ""
+
+          for component in "${!components[@]}"; do
+            path="${components[$component]}"
+            echo "Checking $component (path: $path)..."
+
+            if govulncheck -C "$path" ./...; then
+              echo "✅ $component: No vulnerabilities found"
+            else
+              echo "❌ $component: Vulnerabilities detected"
+              failed_components+=("$component")
+              exit_code=1
+            fi
+            echo ""
+          done
+
+          echo "=== SUMMARY ==="
+          if [ ${#failed_components[@]} -eq 0 ]; then
+            echo "🎉 All components passed vulnerability checks!"
+          else
+            echo "🚨 Vulnerabilities found in ${#failed_components[@]} component(s):"
+            for component in "${failed_components[@]}"; do
+              echo "  - $component"
+            done
+            echo ""
+            echo "Please review and address the vulnerabilities in the components listed above."
+          fi
+
+          exit $exit_code
