1
0
Fork 0
mirror of https://github.com/imjasonh/govulncheck-action synced 2026-07-08 00:35:45 +00:00
govulncheck-action/.github/workflows/example.yml
Jason Hall 3a117d24f8
Add vulnerable example and enhance action features
This commit adds a comprehensive example demonstrating the govulncheck action's capabilities, along with several enhancements to improve the user experience.

## Changes

### Example Setup
- Added example/main.go that uses golang.org/x/net v0.0.0-20220906165146-f3363e06e74c (vulnerable version)
- Example intentionally calls html.Parse to trigger vulnerability detection
- Demonstrates how the action creates annotations on vulnerable code

### Enhanced Annotations
- Fixed file path handling when running in subdirectories (e.g., './example')
- Added rich context to annotations including:
  - Vulnerability summaries and CVE numbers
  - Direct links to Go vulnerability database (pkg.go.dev/vuln)
  - Fixed version information
  - Clear indication of which function is vulnerable (e.g., "html.Parse" not "main")
- Sorted vulnerabilities by OSV ID for consistent display

### Suggested Fixes
- When vulnerable code is actually called, creates notice annotations on go.mod
- Shows current vs suggested dependency versions
- Lists which specific vulnerabilities have active call sites
- Provides actionable upgrade recommendations

### Workflow Summary
- Added comprehensive workflow summary using GitHub Actions summary API
- Displays vulnerabilities in formatted tables by module
- Shows vulnerable code locations organized by file
- Includes links to Go vulnerability database entries
- Provides clear recommendations for fixing vulnerabilities

### Bug Fixes
- Fixed JSON parsing to handle both JSON lines and multi-line JSON formats
- Fixed annotation file paths to be relative to repository root
- Improved vulnerability function name extraction from trace data
- Enhanced OSV detail parsing and storage

## Testing
The example workflow demonstrates all features by intentionally using a vulnerable dependency. When run, it will:
1. Detect vulnerabilities in golang.org/x/net
2. Create warning annotations on go.mod and main.go
3. Suggest specific version updates
4. Generate a detailed workflow summary

This provides a complete demonstration of the action's vulnerability detection and reporting capabilities.
2025-06-07 00:58:11 -04:00

33 lines
927 B
YAML

name: Example Vulnerability Check
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
workflow_dispatch: # Allow manual triggering
jobs:
example:
name: Check Example for Vulnerabilities
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Go
uses: actions/setup-go@v5
with:
go-version: stable
- name: Run govulncheck on example
id: govulncheck
uses: ./
with:
working-directory: './example'
# Note: We don't fail the workflow here since the example is intentionally vulnerable
- name: Demonstrate conditional failure
run: |
echo "In a real workflow, you might want to fail if vulnerabilities are found:"
echo "if: steps.govulncheck.outputs.vulnerabilities-found == 'true'"
echo "run: exit 1"