oadmin/xinghuoapi
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity
Files
856c95538659b6ff93a4a18063d7afbc2389db4b
xinghuoapi/.github/workflows/security-scan.yml
wucm667 f30f8905ec fix(ci): 修复 gosec 扫描因 ent 生成代码导致超时的问题 
【问题描述】
backend-security CI job 持续运行约 6 小时后被 GitHub Actions 强制取消,
表现为 'Run gosec' 步骤挂起,最终以 cancelled 状态结束。

【根本原因】
gosec 对 ./... 执行 AST 静态分析时,包含了 ent/ 目录下的
自动生成文件(如 mutation.go 共 24800 行),导致分析时间
超出 GitHub Actions 默认的 6 小时上限。

【修复方案】
1. gosec 命令增加 -exclude-dir=ent 跳过自动生成代码目录
2. backend-security job 增加 timeout-minutes: 15,避免未来
   类似问题再次长时间卡死后才被发现

ent/ 目录内容全部由 Ent ORM 框架自动生成,开发者不直接编写,
不需要纳入人工安全审计范围,排除后不影响扫描有效性。
2026-02-28 10:20:57 +08:00

65 lines
1.8 KiB
YAML
Raw Blame History

name: Security Scan
on:
push:
pull_request:
schedule:
- cron: '0 3 * * 1'
permissions:
contents: read
jobs:
backend-security:
runs-on: ubuntu-latest
timeout-minutes: 15
steps:
- uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version-file: backend/go.mod
check-latest: false
cache-dependency-path: backend/go.sum
- name: Verify Go version
run: |
go version | grep -q 'go1.25.7'
- name: Run govulncheck
working-directory: backend
run: |
go install golang.org/x/vuln/cmd/govulncheck@latest
govulncheck ./...
- name: Run gosec
working-directory: backend
run: |
go install github.com/securego/gosec/v2/cmd/gosec@latest
# exclude ent/ — auto-generated ORM code, not subject to manual security review
gosec -conf .gosec.json -severity high -confidence high -exclude-dir=ent ./...
frontend-security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up pnpm
uses: pnpm/action-setup@v4
with:
version: 9
- name: Set up Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
cache: 'pnpm'
cache-dependency-path: frontend/pnpm-lock.yaml
- name: Install dependencies
working-directory: frontend
run: pnpm install --frozen-lockfile
- name: Run pnpm audit
working-directory: frontend
run: |
pnpm audit --prod --audit-level=high --json > audit.json || true
- name: Check audit exceptions
run: |
python tools/check_pnpm_audit_exceptions.py \
--audit frontend/audit.json \
--exceptions .github/audit-exceptions.yml
Reference in New Issue View Git Blame Copy Permalink