Skip to content

fix: security scan CI failures#112

Merged
samber merged 2 commits intomainfrom
samber/fix-security-ci-failures
Apr 12, 2026
Merged

fix: security scan CI failures#112
samber merged 2 commits intomainfrom
samber/fix-security-ci-failures

Conversation

@samber
Copy link
Copy Markdown
Owner

@samber samber commented Apr 12, 2026

Summary

  • Add go-version-file: go.mod to all actions/setup-go steps (govulncheck, codeql, trivy-codeql, trivy-logs) to pin Go to the declared minimum and silence the version warning
  • Add .trivyignore suppressing 5 CVEs in recovery/gin transitive deps (golang.org/x/crypto + golang.org/x/net via gin v1.9.1) — Dependabot will handle bumps when a go 1.21-compatible fix is available
  • Wire trivyignores: .trivyignore into both trivy scan jobs so the ignore file is respected
  • Run go mod tidy across all sub-modules (examples, loggers, benchmarks, recovery/gin) to clean up stale go.sum files flagged by CodeQL autobuild

Fixes

  • govulncheck — still reports stdlib vulns (require Go 1.25 to fix) but CI now runs on the correct Go version
  • trivy-logs — 5 CVEs in recovery/gin suppressed via .trivyignore; job should pass

@samber
fix: security scan CI failures
8301f00 
- Add go-version-file: go.mod to all setup-go steps (govulncheck, codeql, trivy-codeql, trivy-logs)
- Add .trivyignore for 5 CVEs in recovery/gin transitive deps (x/crypto, x/net via gin v1.9.1); Dependabot handles upgrades
- Add trivyignores: .trivyignore to both trivy jobs
- Run go mod tidy across all sub-modules (examples, loggers, benchmarks, recovery/gin)
Copilot AI review requested due to automatic review settings April 12, 2026 15:35
@codecov
Copy link
Copy Markdown

codecov bot commented Apr 12, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 88.74%. Comparing base (0372e7b) to head (5bed882).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #112   +/-   ##
=======================================
  Coverage   88.74%   88.74%           
=======================================
  Files          15       15           
  Lines        1155     1155           
=======================================
  Hits         1025     1025           
  Misses        103      103           
  Partials       27       27
Flag Coverage Δ
unittests 88.74% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Copilot AI reviewed Apr 12, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses CI security-scan failures by aligning GitHub Actions’ Go toolchain selection with the repo’s declared Go version, configuring Trivy to honor an ignore list, and tidying Go module metadata across submodules.

Changes:

  • Pin actions/setup-go to use go-version-file: go.mod in security scan workflows.
  • Add .trivyignore and wire it into Trivy scan jobs to suppress known transitive CVEs.
  • Run go mod tidy across multiple submodules, updating go.mod/go.sum accordingly.

Reviewed changes

Copilot reviewed 14 out of 25 changed files in this pull request and generated 6 comments.

Show a summary per file
File Description
.github/workflows/security.yml Uses go-version-file for setup-go; passes .trivyignore to Trivy jobs.
.trivyignore Adds Trivy ignore entries for specific CVEs in transitive deps.
benchmarks/go.mod Tidies module requirements (promotes lo to direct).
examples/log/go.mod Tidies deps; now pins github.com/samber/oops version.
examples/log/go.sum Updates sums after go mod tidy.
examples/logrus/go.mod Tidies deps; adds explicit requirements including logger module pseudo-version.
examples/logrus/go.sum Updates sums after go mod tidy.
examples/panic/go.mod Tidies deps; adds explicit requirements including logger module pseudo-version.
examples/panic/go.sum Updates sums after go mod tidy.
examples/segfault/go.mod Tidies deps; adds explicit requirements including logger module pseudo-version.
examples/segfault/go.sum Updates sums after go mod tidy.
examples/slog/go.mod Tidies deps; now pins github.com/samber/oops version.
examples/slog/go.sum Updates sums after go mod tidy.
examples/sources/go.mod Tidies deps; now pins github.com/samber/oops version.
examples/sources/go.sum Updates sums after go mod tidy.
examples/zap/go.mod Tidies indirect versions.
examples/zap/go.sum Updates sums after go mod tidy.
examples/zerolog/go.mod Tidies indirect versions.
examples/zerolog/go.sum Updates sums after go mod tidy.
loggers/logrus/go.mod Promotes go.uber.org/goleak to a direct requirement post-tidy.
loggers/logrus/go.sum Updates sums after go mod tidy.
loggers/zap/go.mod Promotes go.uber.org/goleak to a direct requirement post-tidy.
loggers/zap/go.sum Updates sums after go mod tidy.
loggers/zerolog/go.mod Promotes go.uber.org/goleak to a direct requirement post-tidy.
loggers/zerolog/go.sum Updates sums after go mod tidy.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@samber samber merged commit 1460827 into main Apr 12, 2026
15 of 16 checks passed
@samber samber deleted the samber/fix-security-ci-failures branch April 12, 2026 15:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@samber