onvif-go/.github/workflows/security.yml

name: Security Scan

on:
  push:
    branches: [ master, main ]
  pull_request:
    branches: [ master, main ]
  schedule:
    - cron: '0 0 * * 0'  # Weekly on Sunday

permissions:
  contents: read
  security-events: write

jobs:
  gosec:
    name: Security Scan (gosec)
    runs-on: ubuntu-latest
    
    steps:
      - name: Checkout code
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      
      - name: Set up Go
        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
        with:
          go-version: '1.24.x'
      
      - name: Install and run gosec
        run: |
          go install github.com/securego/gosec/v2/cmd/gosec@latest
          gosec -no-fail -fmt json -out gosec-report.json ./... || true
      
      - name: Upload gosec report
        if: always()
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: gosec-report
          path: gosec-report.json
          retention-days: 30
      
      - name: Display gosec results
        if: always()
        run: |
          if [ -f gosec-report.json ]; then
            echo "📊 Gosec Security Scan Results:"
            cat gosec-report.json | jq -r '.Stats // empty' || echo "No stats available"
            echo ""
            echo "Issues found:"
            cat gosec-report.json | jq -r '.Issues[]? | "\(.severity | ascii_upcase): \(.rule_id) - \(.details)"' || echo "No issues found"
          fi

  govulncheck:
    name: Vulnerability Check (govulncheck)
    runs-on: ubuntu-latest
    
    steps:
      - name: Checkout code
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      
      - name: Set up Go
        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
        with:
          go-version: '1.24.x'
      
      - name: Run govulncheck
        run: |
          go install golang.org/x/vuln/cmd/govulncheck@latest
          govulncheck ./... || true