go-security¶
Five independent MR-time scanners for Go projects. Each is a separate job
so consumers can opt one out (<job>: { rules: [{ when: never }] }) rather
than disabling all of them. Tool images are pinned per input for
Renovate-friendliness.
govulncheck— Go's official vulnerability scanner (build-graph aware, lower false-positive rate than CVE-database scans). Baked intodev-tools; reuses the go.sum-keyed cache fromgo-test.trivy— filesystem scan against the Aqua vulndb, catching transitive vulns govulncheck misses.gitleaks— secret-pattern scan over the git history, scoped to the MR's own commit range.osv-scanner— Google OSV-DB scan overgo.mod.analyze— semgrep static analysis (p/golang). Job name kept asanalyzeto match the GitHub CodeQL workflow's default job name, so any downstream dashboard or badge keying off that label keeps working.
Always-on — no change-detection input. See Explanation: security, always-on.
Jobs¶
| Job | What it runs |
|---|---|
govulncheck |
govulncheck ./... |
trivy |
trivy fs --exit-code 1 --severity $[[ inputs.trivy_severity ]] --no-progress . |
gitleaks |
gitleaks detect, scoped to the MR diff base on an MR pipeline |
osv-scanner |
/osv-scanner -L $[[ inputs.osv_scanner_target ]] |
analyze |
semgrep --config $[[ inputs.semgrep_config ]] --error --severity $[[ inputs.semgrep_severity ]] . |
Inputs¶
| Input | Type | Default | Description |
|---|---|---|---|
stage |
string | security |
GitLab CI stage. |
if |
string | '$CI_PIPELINE_SOURCE == "merge_request_event"' |
Gating rules:if: for every job. |
govulncheck_image |
string | dev-tools:v0.1.2 |
Override with a golang:… tag to install govulncheck at runtime instead. |
trivy_image |
string | "aquasec/trivy:0.70.0" |
Trivy image. |
trivy_severity |
string | "HIGH,CRITICAL" |
Severities trivy fails on. |
gitleaks_image |
string | "zricethezav/gitleaks:v8.30.1" |
Gitleaks image. |
osv_scanner_image |
string | "ghcr.io/google/osv-scanner:v2.3.8" |
OSV-Scanner image. |
osv_scanner_target |
string | "go.mod" |
What osv-scanner walks (-L). |
semgrep_image |
string | "returntocorp/semgrep:1.163.0" |
Semgrep image. |
semgrep_config |
string | "p/golang" |
Semgrep ruleset/preset id. |
semgrep_severity |
string | "ERROR" |
Minimum severity semgrep fails on. |
Usage¶
include:
- component: gitlab.com/phpboyscout/cicd/[email protected]
See also¶
go-lint,go-test- Explanation: security, always-on
- Spec:
2026-06-08-gitleaks-scan-scoping-v0.10.3