oadmin/xinghuoapi
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity
Files
9fd95df5cf276ab545f82591de47d8a82bd2cf89
xinghuoapi/.github/workflows/security-scan.yml
shaw 54de3bf27a fix(ci): gosec 跳过自动生成的代码文件避免扫描超时 
为 gosec 添加 -exclude-generated 标志,跳过带有
"// Code generated" 注释的文件(如 wire_gen.go),
防止安全扫描因分析自动生成代码而超时。
2026-02-28 22:30:53 +08:00

65 lines
1.8 KiB
YAML
Raw Blame History

name: Security Scan
on:
push:
pull_request:
schedule:
- cron: '0 3 * * 1'
permissions:
contents: read
jobs:
backend-security:
runs-on: ubuntu-latest
timeout-minutes: 15
steps:
- uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version-file: backend/go.mod
check-latest: false
cache-dependency-path: backend/go.sum
- name: Verify Go version
run: |
go version | grep -q 'go1.25.7'
- name: Run govulncheck
working-directory: backend
run: |
go install golang.org/x/vuln/cmd/govulncheck@latest
govulncheck ./...
- name: Run gosec
working-directory: backend
run: |
go install github.com/securego/gosec/v2/cmd/gosec@latest
# exclude ent/ — auto-generated ORM code, not subject to manual security review
gosec -conf .gosec.json -severity high -confidence high -exclude-generated -exclude-dir=ent ./...
frontend-security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up pnpm
uses: pnpm/action-setup@v4
with:
version: 9
- name: Set up Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
cache: 'pnpm'
cache-dependency-path: frontend/pnpm-lock.yaml
- name: Install dependencies
working-directory: frontend
run: pnpm install --frozen-lockfile
- name: Run pnpm audit
working-directory: frontend
run: |
pnpm audit --prod --audit-level=high --json > audit.json || true
- name: Check audit exceptions
run: |
python tools/check_pnpm_audit_exceptions.py \
--audit frontend/audit.json \
--exceptions .github/audit-exceptions.yml
Reference in New Issue View Git Blame Copy Permalink