build: update scan workflow

- Update actions to their latest versions. - Use SHA to (potentially) allow enabling Dependabot. - Add Go Modules caching using `actions/setup-go` (supported since >=v3). - Add `--all-projects` flag to `snyk`. Signed-off-by: Hidde Beydals <hidde@hhh.computer>
2023-03-20 10:54:30 +01:00 · 2023-03-20 10:54:30 +01:00 · 18602b8325
parent 52dd8a0124
commit 18602b8325
1 changed files with 20 additions and 12 deletions
--- a/.github/workflows/scan.yaml
+++ b/.github/workflows/scan.yaml
@ -16,9 +16,10 @@ jobs:
    name: FOSSA
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
+      - name: Checkout
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
      - name: Run FOSSA scan and upload build data
-        uses: fossa-contrib/fossa-action@v2
+        uses: fossa-contrib/fossa-action@6728dc6fe9a068c648d080c33829ffbe56565023 # v2.0.0
        with:
          # FOSSA Push-Only API Token
          fossa-api-key: 5ee8bf422db1471e0bcf2bcb289185de
@ -29,11 +30,15 @@ jobs:
    runs-on: ubuntu-latest
    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
    steps:
-      - uses: actions/checkout@v3
+      - name: Checkout
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
      - name: Setup Go
-        uses: actions/setup-gov3
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
        with:
          go-version: 1.20.x
+          cache-dependency-path: |
+            **/go.sum
+            **/go.mod
      - name: Download modules
        run: |
          make tidy
@ -41,11 +46,11 @@ jobs:
      - name:  Run Snyk to check for vulnerabilities
        continue-on-error: true
        run: |
-          snyk test --sarif-file-output=snyk.sarif
+          snyk test --all-projects --sarif-file-output=snyk.sarif
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
      - name: Upload result to GitHub Code Scanning
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@168b99b3c22180941ae7dbdd5f5c9678ede476ba # v2.2.7
        with:
          sarif_file: snyk.sarif

@ -53,17 +58,20 @@ jobs:
    name: CodeQL
    runs-on: ubuntu-latest
    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v3
+      - name: Checkout
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
      - name: Setup Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
        with:
          go-version: 1.20.x
+          cache-dependency-path: |
+            **/go.sum
+            **/go.mod
      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v2
+        uses: github/codeql-action/init@168b99b3c22180941ae7dbdd5f5c9678ede476ba # v2.2.7
        with:
          languages: go
      - name: Autobuild
-        uses: github/codeql-action/autobuild@v2
+        uses: github/codeql-action/autobuild@168b99b3c22180941ae7dbdd5f5c9678ede476ba # v2.2.7
      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v2
+        uses: github/codeql-action/analyze@168b99b3c22180941ae7dbdd5f5c9678ede476ba # v2.2.7