From f743763964e2ea700e8ac839f2095d3224a623ec Mon Sep 17 00:00:00 2001
From: Gregor Riepl <gregor.riepl@swisstxt.ch>
Date: Thu, 17 Aug 2023 14:55:40 +0200
Subject: [PATCH] Add more Go checks

---
 .github/workflows/scan.yml | 51 ++++++++++++++++++++++++++++++--------
 1 file changed, 41 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index 6ed806f..5042997 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -4,12 +4,15 @@ on:
 - push
 - pull_request
 
+defaults:
+  # would be nice if we could set this here:
+  #runs-on: ubuntu-latest
+  run:
+    shell: bash
+
 jobs:
-  go:
+  gosec:
     runs-on: ubuntu-latest
-    defaults:
-      run:
-        shell: bash
     steps:
       - name: checkout repo
         uses: actions/checkout@v3
@@ -18,19 +21,47 @@ jobs:
       - name: run gosec
         uses: securego/gosec@master
         with:
-          args: -fmt sarif -out results.sarif -stdout -verbose=text ./...
+          args: -fmt sarif -out gosec.sarif -stdout -verbose=text ./...
       - name: upload results
         uses: github/codeql-action/upload-sarif@v2
+        # run this even when the gosec task fails (otherwise we wouldn't get a result)
+        if: success() || failure()
+        # but ignore errors in case GH security upload isn't available
         continue-on-error: true
         with:
-          sarif_file: results.sarif
-      - name: run govulncheck
-        uses: golang/govulncheck-action@v1
+          sarif_file: gosec.sarif
+  govulncheck:
+    runs-on: ubuntu-latest
+    steps:
+      - name: checkout repo
+        uses: actions/checkout@v3
         with:
-           go-version-input: 1.19.0
-           go-package: ./...
+          sparse-checkout: go/
       - name: run govulncheck
         uses: golang/govulncheck-action@v1
         with:
            go-version-input: 1.19.0
            go-package: ./...
+      # this action doesn't produce a SARIF report yet, so there's nothing to upload.
+      # See: https://github.com/golang/go/issues/61347
+  tfsec:
+    runs-on: ubuntu-latest
+    steps:
+      - name: checkout repo
+        uses: actions/checkout@v3
+        with:
+          sparse-checkout: terraform/
+      - name: run tfsec
+        uses: aquasecurity/tfsec-action@v1.0.0
+        with:
+          working_directory: terraform/
+          format: sarif
+          additional_args: results.sarif
+      - name: upload results
+        uses: github/codeql-action/upload-sarif@v2
+        # run this even when the gosec task fails (otherwise we wouldn't get a result)
+        if: success() || failure()
+        # but ignore errors in case GH security upload isn't available
+        continue-on-error: true
+        with:
+          sarif_file: results.sarif