Out of curiosity and a little concern... this line makes it to always be true even if the scan finds an issue... kinda defeats the purpose of the scan.
Why was this setup this way?
|
govulncheck ./... || true |
also the used go version is 1.25.4 while the scan uses 1.23, this can lead to missed vulnerabilities in the scan.
another thing, using securego/gosec@master instead of a pinned version makes SupplyChain Attacks easier.
|
uses: securego/gosec@master |
Out of curiosity and a little concern... this line makes it to always be true even if the scan finds an issue... kinda defeats the purpose of the scan.
Why was this setup this way?
apt-proxy/.github/workflows/scan.yml
Line 38 in 19ee220
also the used go version is 1.25.4 while the scan uses 1.23, this can lead to missed vulnerabilities in the scan.
apt-proxy/.github/workflows/scan.yml
Line 33 in 19ee220
another thing, using securego/gosec@master instead of a pinned version makes SupplyChain Attacks easier.
apt-proxy/.github/workflows/scan.yml
Line 41 in 19ee220