This website requires JavaScript.
Explore
Help
Sign in
imjasonh
/
govulncheck-action
Watch
1
Star
0
Fork
You've already forked govulncheck-action
0
mirror of
https://github.com/imjasonh/govulncheck-action
synced
2026-07-11 01:53:12 +00:00
Code
Activity
f8173bd3ef
govulncheck-action
/
example
/
go.mod
6 lines
97 B
Modula-2
Raw
Normal View
History
Unescape
Escape
Initial implementation of govulncheck GitHub Action This action runs govulncheck on Go projects and creates GitHub annotations for vulnerabilities found in dependencies and code paths. Features: - Automated vulnerability scanning with govulncheck - Smart annotations on go.mod for vulnerable dependencies - Annotations on source code lines that call vulnerable functions - Configurable working directory - Output variables for vulnerability detection The implementation includes: - Modular architecture with separate concerns (execution, parsing, annotation) - Comprehensive test suite with 100% function coverage - Example vulnerable Go module for demonstration - GitHub workflow example - Full documentation 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-06-06 23:41:03 -04:00
module
github
.
com
/
imjasonh
/
govulncheck
-
action
/
example
Fix parser to handle multi-line JSON format and add local testing This commit fixes the parser to handle both JSON lines and multi-line JSON formats from govulncheck, and adds tools for local testing: - Updated parser to detect and handle both JSON lines and pretty-printed JSON - Added logic to skip govulncheck installation if already present - Created run-local.js for testing the action locally without GitHub Actions - Added test:local npm script for easy local testing - Changed example to use a version of golang.org/x/net with known vulnerabilities The parser now correctly identifies 14 vulnerabilities in the example, including ones that trace to the html.Parse call in main.go. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-06-07 00:14:39 -04:00
go
1.20
Initial implementation of govulncheck GitHub Action This action runs govulncheck on Go projects and creates GitHub annotations for vulnerabilities found in dependencies and code paths. Features: - Automated vulnerability scanning with govulncheck - Smart annotations on go.mod for vulnerable dependencies - Annotations on source code lines that call vulnerable functions - Configurable working directory - Output variables for vulnerability detection The implementation includes: - Modular architecture with separate concerns (execution, parsing, annotation) - Comprehensive test suite with 100% function coverage - Example vulnerable Go module for demonstration - GitHub workflow example - Full documentation 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-06-06 23:41:03 -04:00
Fix: Parser fails to detect vulnerabilities in multi-line JSON output ## Problem The govulncheck action was incorrectly reporting "no vulnerabilities found" even when vulnerabilities were present. This was happening because govulncheck outputs pretty-printed JSON (multi-line format) rather than JSON lines format. ## Root Cause The parser had a logic bug where it would set `parsedAsJsonLines = true` whenever it encountered ANY valid JSON line, including trivial ones like `{`. This prevented the multi-line JSON parser from ever running, causing all findings to be missed. ## Solution Changed the parser to only skip multi-line parsing if it actually found meaningful data (OSV details or findings) in JSON lines format. Now it correctly falls back to multi-line JSON parsing when needed. ## Additional Changes Updated the example workflow to fail if no vulnerabilities are detected, since we know the example code contains vulnerabilities. This serves as a regression test to ensure the parser continues to work correctly. ## Testing - Verified the parser now correctly identifies 8 vulnerabilities in the example code - The action now properly reports vulnerabilities instead of false negatives - CI checks are now working correctly - Example workflow now fails if the parser bug resurfaces This is a critical bug fix that prevents false "no vulnerabilities" reports. Signed-off-by: Jason Hall <jason@chainguard.dev>
2025-06-07 02:26:48 -04:00
require
golang
.
org
/
x
/
net
v0
.
22.0
Copy permalink