Description
To stay on top of security issues in gh we would like to periodically run govulncheck in CI and be notified of any failures.
govulncheck can be incorporated in a number of ways to cli/cli repository:
-
Expand lint workflow to include run govulncheck, failing pull requests if a Go security vulnerability is detected
-
Create a scheduled workflow that runs gvulncheck and uploads the resulting SARIF file to GitHub for code scanning alerts
Expected outcomes
gh is scanned for Go vulnerabilities as part of SDLC process- CLI maintainers have notification of new vulnerabilities via
#cli-activity Slack channel
Description
To stay on top of security issues in
ghwe would like to periodically rungovulncheckin CI and be notified of any failures.govulncheckcan be incorporated in a number of ways tocli/clirepository:Expand
lintworkflow to include rungovulncheck, failing pull requests if a Go security vulnerability is detectedCreate a scheduled workflow that runs
gvulncheckand uploads the resulting SARIF file to GitHub for code scanning alertsExpected outcomes
ghis scanned for Go vulnerabilities as part of SDLC process#cli-activitySlack channel