Skip to content

fix(si): add govulncheck, gitleaks, and gosec CI workflows#36

Open
theautoroboto wants to merge 1 commit into
mainfrom
fedramp/SI-02-govulncheck-ci-2026-04-22
Open

fix(si): add govulncheck, gitleaks, and gosec CI workflows#36
theautoroboto wants to merge 1 commit into
mainfrom
fedramp/SI-02-govulncheck-ci-2026-04-22

Conversation

@theautoroboto

@theautoroboto theautoroboto commented Apr 22, 2026
edited by openshift-ci Bot
Loading

Copy link
Copy Markdown

FedRAMP Remediation — SI-02 / RA-05 / IA-05(7) / SA-11: Vulnerability Scanning and Secret Detection

Jira: ROSAENG-367, ROSAENG-368, ROSAENG-369, ROSAENG-371
Epic: ROSAENG-287

Finding

No automated vulnerability scanning, secret detection, or static analysis workflows exist in CI. This fails SI-02 (flaw remediation), RA-05 (vulnerability scanning), IA-05(7) (authenticator management), and SA-11 (developer security testing).

Change

Added .github/workflows/fedramp-security-scan.yml with three jobs:

  • govulncheck — Go vulnerability scanning (SI-02, RA-05)
  • secret-scan via gitleaks-action@v2 — secret/credential detection (IA-05(7))
  • gosec with SARIF upload — static security analysis (SA-11(1))

Added .github/dependabot.yml — weekly automated dependency PRs for gomod and github-actions (RA-05).

Runs on push and PR to main.

References

🤖 Generated by fedramp-compliance agent on 2026-04-22

@theautoroboto
fix(si): add govulncheck, gitleaks, gosec CI and Dependabot config
d3e13b7 
FedRAMP SI-02, RA-05, IA-05(7), and SA-11(1) require automated
vulnerability scanning, secret detection, SAST analysis, and
regular dependency patching in the CI pipeline.

.github/workflows/fedramp-security-scan.yml:
- govulncheck (SI-02/RA-05): detects reachable Go CVEs on every PR
- gitleaks (IA-05(7)): scans full git history for leaked secrets
- gosec (SA-11(1)): SAST with SARIF upload to GitHub Code Scanning

.github/dependabot.yml (RA-05):
- Weekly automated PRs for Go modules and GitHub Actions pins

Jira: ROSAENG-367, ROSAENG-368, ROSAENG-369, ROSAENG-371
@theautoroboto theautoroboto added fedramp FedRAMP compliance remediation compliance Compliance-related change automated Generated by automation labels Apr 22, 2026
@openshift-ci openshift-ci Bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Apr 22, 2026
@openshift-ci

openshift-ci Bot commented Apr 22, 2026

Copy link
Copy Markdown

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@coderabbitai

coderabbitai Bot commented Apr 22, 2026
edited
Loading

Copy link
Copy Markdown

Important

Review skipped

Auto reviews are limited based on label configuration.

🚫 Review skipped — only excluded labels are configured. (1)
  • do-not-merge/work-in-progress

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 9666a8de-47fb-42ee-87cd-ba080d03db5c

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fedramp/SI-02-govulncheck-ci-2026-04-22

Comment @coderabbitai help to get the list of available commands and usage tips.

@openshift-ci openshift-ci Bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Apr 22, 2026
@openshift-ci

openshift-ci Bot commented Apr 22, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: theautoroboto

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci

openshift-ci Bot commented Apr 22, 2026

Copy link
Copy Markdown

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@theautoroboto theautoroboto marked this pull request as ready for review April 22, 2026 21:29
@theautoroboto theautoroboto added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Apr 22, 2026
@openshift-ci openshift-ci Bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Apr 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

automated Generated by automation compliance Compliance-related change fedramp FedRAMP compliance remediation needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@theautoroboto