ci: added new govulncheck workflow (#5964)

* chore(dependabot): added new `security` group Signed-off-by: Dwi Siswanto <git@dw1.io> * ci: added new `govulncheck` workflow Signed-off-by: Dwi Siswanto <git@dw1.io> * chore(dependabot): merge 2 groups Signed-off-by: Dwi Siswanto <git@dw1.io> --------- Signed-off-by: Dwi Siswanto <git@dw1.io>
2025-12-22 02:05:24 +00:00 · 2025-01-09 16:54:13 +07:00 · 2025-01-09 16:54:13 +07:00 · c61e325ace
commit c61e325ace
parent 805cab4222
2 changed files with 30 additions and 2 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -8,11 +8,13 @@ updates:
    commit-message:
      prefix: "chore"
      include: "scope"
    allow:
      - dependency-name: "github.com/projectdiscovery/*"
    groups:
      modules:
        patterns: ["github.com/projectdiscovery/*"]
      security:
        applies-to: "security-updates"
        patterns: ["*"]
        exclude-patterns: ["github.com/projectdiscovery/*"]
    labels:
      - "Type: Maintenance"
--- a/.github/workflows/govulncheck.yaml
+++ b/.github/workflows/govulncheck.yaml
@ -0,0 +1,26 @@
 name: 🐛 govulncheck
 on:
  schedule:
    - cron: '0 0 * * 0' # Weekly
  workflow_dispatch:
 jobs:
  govulncheck:
    runs-on: ubuntu-latest
    if: github.repository == 'projectdiscovery/nuclei'
    permissions:
      actions: read
      contents: read
      security-events: write
    env:
      OUTPUT: "/tmp/results.sarif"
    steps:
      - uses: actions/checkout@v4
      - uses: projectdiscovery/actions/setup/go@v1
      - run: go install golang.org/x/vuln/cmd/govulncheck@latest
      - run: govulncheck -scan package -format sarif ./... > $OUTPUT
      - uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: "${{ env.OUTPUT }}"
          category: "govulncheck"