Commit vulnerability scan workflow

[sgaunet]

Issue: Vulnerability Scan Workflow Not Committed

Priority

🟢 LOW (Maintenance)

Location

.github/workflows/vulnerability-scan.yml (untracked)

Description

A vulnerability scan workflow exists in the repository but is not committed to version control. This file should either be committed or removed.

Current Status

$ git status
?? .github/workflows/vulnerability-scan.yml

Options

Option 1: Commit the Workflow (Recommended)
If the workflow is functional and useful:

git add .github/workflows/vulnerability-scan.yml
git commit -m "ci: add vulnerability scanning workflow"

Benefits:

• Automated security scanning
• Early detection of vulnerable dependencies
• Shows security-conscious development
• Part of CI/CD best practices

Option 2: Remove the Workflow
If it's not needed or redundant:

rm .github/workflows/vulnerability-scan.yml

Option 3: Add to .gitignore
If it's a local development file:

echo '.github/workflows/vulnerability-scan.yml' >> .gitignore

Recommended Action

Review the workflow first:

1. Check what the workflow does
2. Ensure it's configured correctly
3. Verify credentials/secrets are not hardcoded
4. Test that it runs successfully

Then commit it if:

• ✅ It's properly configured
• ✅ It adds value (security scanning, dependency checking, etc.)
• ✅ No secrets or credentials are embedded

Typical Vulnerability Scan Workflows

Golang Security Scanning:

name: Security Scan

on:
  push:
    branches: [main]
  pull_request:
  schedule:
    - cron: '0 0 * * 0'  # Weekly

jobs:
  govulncheck:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      
      - uses: actions/setup-go@v5
        with:
          go-version-file: 'go.mod'
      
      - name: Install govulncheck
        run: go install golang.org/x/vuln/cmd/govulncheck@latest
      
      - name: Run govulncheck
        run: govulncheck ./...

Dependency Scanning (Trivy, Snyk, etc.):

- name: Run Trivy scanner
  uses: aquasecurity/trivy-action@master
  with:
    scan-type: 'fs'
    scan-ref: '.'
    format: 'sarif'
    output: 'trivy-results.sarif'

Acceptance Criteria

• Review .github/workflows/vulnerability-scan.yml content
• Decide: commit, remove, or gitignore
• If committing: ensure no secrets are embedded
• If committing: test workflow runs successfully
• If committing: add appropriate labels/triggers
• If removing: document why (if relevant)
• Update .gitignore if needed

Testing

After committing, verify the workflow:

# Push and check GitHub Actions
git push

# Or test locally with act
act -j vulnerability-scan

Related Issues

• Complements existing CI/CD (linter, coverage, release)
• Part of security best practices

Security Considerations

Before committing, verify:

• ❌ No API keys or tokens
• ❌ No hardcoded credentials
• ✅ Uses GitHub secrets for sensitive data
• ✅ Permissions are minimal (read-only where possible)

Priority Justification

Low priority because:

• Doesn't affect functionality
• Project already has good CI/CD coverage
• Can be done anytime
• Not blocking other work

But should be resolved to keep repository clean.

[yash-1104github]

@sgaunet I would love to work on it could you please assign to me

[sgaunet]

No problem, go ahead :)