tendermint/.github/workflows/gosec.yml

name: Run Gosec
on:
  pull_request:
    paths:
      - '**/*.go'
      - 'go.mod'
      - 'go.sum'
  push:
    branches:
      - main
      - 'feature/*'
      - 'v0.37.x'
      - 'v0.34.x'
    paths:
      - '**/*.go'
      - 'go.mod'
      - 'go.sum'

jobs:
  Gosec:
    permissions:
      security-events: write

    runs-on: ubuntu-latest
    env:
      GO111MODULE: on
    steps:
      - name: Checkout Source
        uses: actions/checkout@v3

      - name: Run Gosec Security Scanner
        uses: cosmos/gosec@master
        with:
          # Let the report trigger a failure with the Github Security scanner features.
          args: "-no-fail -fmt sarif -out results.sarif ./..."

      - name: Upload SARIF file
        uses: github/codeql-action/upload-sarif@v2
        with:
          # Path to SARIF file relative to the root of the repository
          sarif_file: results.sarif