Commit 92a6789
committed
build: capture
Related to [0] and regular questions we've had in the past, we don't
have a clear answer for "are we vulnerable to a CVE" in a way that our
users are clearly able to determine, as well as "will oapi-codegen fix
it".
As a step towards answering the former, and leading towards the latter,
we can start running `govulncheck` in CI as a way to ensure that we
always have that information to hand.
This will re-run on commits to HEAD, as well as on a schedule, to make
sure we're aware of new CVEs.
By producing this in SARIF format, we can then have this uploaded to
GitHub's Code Scanning alerts, which are more straightforward to
validate.
The Code Scanning alerts page is gated to maintainers, but doesn't
(currently) hide anything that can't be seen by someone running
`govulncheck` themselves on the project.
We also make sure to explicitly note what permissions are required to
handle the workflow.
[0]: oapi-codegen/governance#11govulncheck results as Code Scanning alerts1 parent aea1d0c commit 92a6789
1 file changed
+33
-0
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
| 1 | + | |
| 2 | + | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
| 6 | + | |
| 7 | + | |
| 8 | + | |
| 9 | + | |
| 10 | + | |
| 11 | + | |
| 12 | + | |
| 13 | + | |
| 14 | + | |
| 15 | + | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
| 19 | + | |
| 20 | + | |
| 21 | + | |
| 22 | + | |
| 23 | + | |
| 24 | + | |
| 25 | + | |
| 26 | + | |
| 27 | + | |
| 28 | + | |
| 29 | + | |
| 30 | + | |
| 31 | + | |
| 32 | + | |
| 33 | + | |
0 commit comments