# Go 安全扫描工作流 # 集成 gosec 安全扫描 # # 使用方法: # 1. 复制此文件到 .github/workflows/security.yml # 2. 或适配到 Gitea Actions # 3. 或手动运行: ./scripts/security/run-gosec.sh name: Security Scan on: push: branches: [main, develop] pull_request: branches: [main] schedule: - cron: '0 2 * * *' # 每周凌晨2点运行 jobs: gosec: name: Go Security Scan runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v4 - name: Set up Go uses: actions/setup-go@v5 with: go-version: '1.23' - name: Install gosec run: go install github.com/securego/gosec/v2/cmd/gosec@latest - name: Run gosec run: | gosec -fmt json -out=gosec-report.json ./... - name: Upload security report uses: actions/upload-artifact@v4 with: name: gosec-report path: gosec-report.json - name: Display results run: | if [ -f gosec-report.json ]; then echo "Security issues found:" cat gosec-report.json | jq -r '.Results[] | "\(.Severity): \(.Details)"' 2>/dev/null || cat gosec-report.json fi govulncheck: name: Vulnerability Check runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v4 - name: Set up Go uses: actions/setup-go@v5 with: go-version: '1.23' - name: Run govulncheck run: | go install golang.org/x/vuln/cmd/govulncheck@latest govulncheck ./... npm-audit: name: NPM Audit runs-on: ubuntu-latest defaults: run: working-directory: frontend/admin steps: - name: Checkout code uses: actions/checkout@v4 - name: Set up Node.js uses: actions/setup-node@v4 with: node-version: '20' cache: 'npm' cache-dependency-path: frontend/admin/package-lock.json - name: Install dependencies run: npm ci - name: Run npm audit run: npm audit --audit-level=moderate