1+ # Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved.
2+ #
3+ # Licensed under the Apache License, Version 2.0 (the "License");
4+ # you may not use this file except in compliance with the License.
5+ # You may obtain a copy of the License at
6+ #
7+ # http://www.apache.org/licenses/LICENSE-2.0
8+ #
9+ # Unless required by applicable law or agreed to in writing, software
10+ # distributed under the License is distributed on an "AS IS" BASIS,
11+ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12+ # See the License for the specific language governing permissions and
13+ # limitations under the License.
14+
15+ name : Go Vulnerability Check
16+
17+ on :
18+ push :
19+ branches :
20+ - main
21+ - " pull-request/[0-9]+"
22+ paths-ignore :
23+ - ' **/*.md'
24+ - ' docs/**'
25+ - ' LICENSE'
26+ - ' .github/ISSUE_TEMPLATE/**'
27+ - ' .github/headers/**'
28+ tags :
29+ - ' v*'
30+ workflow_dispatch :
31+ schedule :
32+ - cron : ' 0 6 * * *'
33+
34+ concurrency :
35+ group : ${{ github.workflow }}-${{ github.ref }}
36+ cancel-in-progress : ${{ github.ref != 'refs/heads/main' }}
37+
38+ permissions :
39+ contents : read
40+ security-events : write
41+ pull-requests : write
42+
43+ jobs :
44+ govulncheck :
45+ runs-on : ubuntu-latest
46+ timeout-minutes : 30
47+ permissions :
48+ contents : read
49+ security-events : write
50+ steps :
51+ - uses : actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
52+
53+ - name : Setup Go
54+ uses : actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
55+ with :
56+ go-version : ' stable'
57+
58+ - name : Install govulncheck
59+ run : go install golang.org/x/vuln/cmd/govulncheck@latest
60+
61+ - name : Run govulncheck on all Go modules
62+ run : |
63+ # Find all directories with go.mod files
64+ go_modules=$(find . -name "go.mod" -type f | grep -v ".git" | sort)
65+
66+ if [ -z "$go_modules" ]; then
67+ echo "No Go modules found in repository"
68+ exit 0
69+ fi
70+
71+ failed_modules=()
72+ exit_code=0
73+ total_modules=0
74+
75+ echo "🔍 Discovered Go modules:"
76+ for mod_file in $go_modules; do
77+ mod_dir=$(dirname "$mod_file")
78+ # Extract module name from go.mod file
79+ mod_name=$(grep "^module " "$mod_file" | awk '{print $2}')
80+ echo " - $mod_name (path: $mod_dir)"
81+ total_modules=$((total_modules + 1))
82+ done
83+ echo ""
84+
85+ echo "Running govulncheck on $total_modules module(s)..."
86+ echo ""
87+
88+ for mod_file in $go_modules; do
89+ mod_dir=$(dirname "$mod_file")
90+ mod_name=$(grep "^module " "$mod_file" | awk '{print $2}')
91+
92+ echo "Checking $mod_name (path: $mod_dir)..."
93+
94+ if govulncheck -C "$mod_dir" ./...; then
95+ echo "✅ $mod_name: No vulnerabilities found"
96+ else
97+ echo "❌ $mod_name: Vulnerabilities detected"
98+ failed_modules+=("$mod_name")
99+ exit_code=1
100+ fi
101+ echo ""
102+ done
103+
104+ echo "=== SUMMARY ==="
105+ if [ ${#failed_modules[@]} -eq 0 ]; then
106+ echo "🎉 All $total_modules module(s) passed vulnerability checks!"
107+ else
108+ echo "🚨 Vulnerabilities found in ${#failed_modules[@]} of $total_modules module(s):"
109+ for module in "${failed_modules[@]}"; do
110+ echo " - $module"
111+ done
112+ echo ""
113+ echo "Please review and address the vulnerabilities in the modules listed above."
114+ fi
115+
116+ exit $exit_code
0 commit comments