Skip to content

go-security

Five independent MR-time scanners for Go projects. Each is a separate job so consumers can opt one out (<job>: { rules: [{ when: never }] }) rather than disabling all of them. Tool images are pinned per input for Renovate-friendliness.

  • govulncheck — Go's official vulnerability scanner (build-graph aware, lower false-positive rate than CVE-database scans). Baked into dev-tools; reuses the go.sum-keyed cache from go-test.
  • trivy — filesystem scan against the Aqua vulndb, catching transitive vulns govulncheck misses.
  • gitleaks — secret-pattern scan over the git history, scoped to the MR's own commit range.
  • osv-scanner — Google OSV-DB scan over go.mod.
  • analyze — semgrep static analysis (p/golang). Job name kept as analyze to match the GitHub CodeQL workflow's default job name, so any downstream dashboard or badge keying off that label keeps working.

Always-on — no change-detection input. See Explanation: security, always-on.

Jobs

Job What it runs
govulncheck govulncheck ./...
trivy trivy fs --exit-code 1 --severity $[[ inputs.trivy_severity ]] --no-progress .
gitleaks gitleaks detect, scoped to the MR diff base on an MR pipeline
osv-scanner /osv-scanner -L $[[ inputs.osv_scanner_target ]]
analyze semgrep --config $[[ inputs.semgrep_config ]] --error --severity $[[ inputs.semgrep_severity ]] .

Inputs

Input Type Default Description
stage string security GitLab CI stage.
if string '$CI_PIPELINE_SOURCE == "merge_request_event"' Gating rules:if: for every job.
govulncheck_image string dev-tools:v0.1.2 Override with a golang:… tag to install govulncheck at runtime instead.
trivy_image string "aquasec/trivy:0.70.0" Trivy image.
trivy_severity string "HIGH,CRITICAL" Severities trivy fails on.
gitleaks_image string "zricethezav/gitleaks:v8.30.1" Gitleaks image.
osv_scanner_image string "ghcr.io/google/osv-scanner:v2.3.8" OSV-Scanner image.
osv_scanner_target string "go.mod" What osv-scanner walks (-L).
semgrep_image string "returntocorp/semgrep:1.163.0" Semgrep image.
semgrep_config string "p/golang" Semgrep ruleset/preset id.
semgrep_severity string "ERROR" Minimum severity semgrep fails on.

Usage

include:
  - component: gitlab.com/phpboyscout/cicd/[email protected]

See also