Security scan workflow (samber/mo)
The Security scan workflow from samber/mo, explained and optimized by Latchkey.
CI health: C - fair
Point runs-on at Latchkey and get run de-duplication, job timeouts, SHA-pinned actions, self-healing for flaky steps, and up to 58% lower cost, applied automatically.
What it does
This is the Security scan workflow from the samber/mo repository, a real project running GitHub Actions. It is shown here with attribution under its MIT license.
Below, Latchkey shows a faster, safer version produced by its optimization engine.
The workflow
name: Security scan
on:
push:
branches:
- master
pull_request:
schedule:
- cron: '0 3 * * 1'
workflow_dispatch: # Allow manual trigger
permissions:
contents: read
# required for codeql analysis
security-events: write
jobs:
# govulncheck:
# name: govulncheck
# runs-on: ubuntu-latest
# strategy:
# fail-fast: false
# steps:
# - uses: actions/checkout@v7
# - uses: actions/setup-go@v6
# - name: Install govulncheck
# run: go install golang.org/x/vuln/cmd/govulncheck@latest
# - name: govulncheck
# run: govulncheck ./...
bearer:
name: bearer
runs-on: ubuntu-latest
strategy:
fail-fast: false
steps:
- uses: actions/checkout@v7
- name: Bearer
uses: bearer/bearer-action@v2
with:
skip-path: 'docs/'
codeql:
name: codeql
runs-on: ubuntu-latest
strategy:
fail-fast: false
steps:
- uses: actions/checkout@v7
- uses: actions/setup-go@v6
- name: Initialize CodeQL
uses: github/codeql-action/init@v4
with:
languages: go
- name: Autobuild
uses: github/codeql-action/autobuild@v4
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v4
trivy-codeql:
name: trivy-codeql
runs-on: ubuntu-latest
strategy:
fail-fast: false
steps:
- uses: actions/checkout@v7
- uses: actions/setup-go@v6
- name: Run Trivy vulnerability scanner (source code)
uses: aquasecurity/trivy-action@v0.36.0
with:
scan-type: "fs"
scan-ref: "."
scanners: "vuln,secret,misconfig"
format: "sarif"
output: "trivy-results.sarif"
severity: "CRITICAL,HIGH,MEDIUM"
ignore-unfixed: true
skip-dirs: "docs/"
- name: Upload Trivy results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v4
if: always()
with:
sarif_file: "trivy-results.sarif"
trivy-logs:
name: trivy-logs
runs-on: ubuntu-latest
strategy:
fail-fast: false
steps:
- uses: actions/checkout@v7
- uses: actions/setup-go@v6
- name: Run Trivy scanner (table output for logs)
uses: aquasecurity/trivy-action@v0.36.0
if: always()
with:
scan-type: "fs"
scan-ref: "."
scanners: "vuln,secret,misconfig"
format: "table"
severity: "CRITICAL,HIGH,MEDIUM"
ignore-unfixed: true
exit-code: "1"
skip-dirs: "docs/"
- name: Run Trivy scanner (license)
uses: aquasecurity/trivy-action@v0.36.0
if: always()
with:
scan-type: fs
scan-ref: .
scanners: license
severity: UNKNOWN,HIGH,CRITICAL
format: table
skip-dirs: "docs/"
The same workflow, on Latchkey
Removes redundant runs and caps runaway jobs. Added and changed lines are highlighted.
name: Security scan on: push: branches: - master pull_request: schedule: - cron: '0 3 * * 1' workflow_dispatch: # Allow manual trigger permissions: contents: read # required for codeql analysis security-events: write concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true jobs: # govulncheck: # name: govulncheck # runs-on: latchkey-small # strategy: # fail-fast: false # steps: # - uses: actions/checkout@v7 # - uses: actions/setup-go@v6 # - name: Install govulncheck # run: go install golang.org/x/vuln/cmd/govulncheck@latest # - name: govulncheck # run: govulncheck ./... bearer: timeout-minutes: 30 name: bearer runs-on: latchkey-small strategy: fail-fast: false steps: - uses: actions/checkout@v7 - name: Bearer uses: bearer/bearer-action@v2 with: skip-path: 'docs/' codeql: timeout-minutes: 30 name: codeql runs-on: latchkey-small strategy: fail-fast: false steps: - uses: actions/checkout@v7 - uses: actions/setup-go@v6 - name: Initialize CodeQL uses: github/codeql-action/init@v4 with: languages: go - name: Autobuild uses: github/codeql-action/autobuild@v4 - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v4 trivy-codeql: timeout-minutes: 30 name: trivy-codeql runs-on: latchkey-small strategy: fail-fast: false steps: - uses: actions/checkout@v7 - uses: actions/setup-go@v6 - name: Run Trivy vulnerability scanner (source code) uses: aquasecurity/trivy-action@v0.36.0 with: scan-type: "fs" scan-ref: "." scanners: "vuln,secret,misconfig" format: "sarif" output: "trivy-results.sarif" severity: "CRITICAL,HIGH,MEDIUM" ignore-unfixed: true skip-dirs: "docs/" - name: Upload Trivy results to GitHub Security tab uses: github/codeql-action/upload-sarif@v4 if: always() with: sarif_file: "trivy-results.sarif" trivy-logs: timeout-minutes: 30 name: trivy-logs runs-on: latchkey-small strategy: fail-fast: false steps: - uses: actions/checkout@v7 - uses: actions/setup-go@v6 - name: Run Trivy scanner (table output for logs) uses: aquasecurity/trivy-action@v0.36.0 if: always() with: scan-type: "fs" scan-ref: "." scanners: "vuln,secret,misconfig" format: "table" severity: "CRITICAL,HIGH,MEDIUM" ignore-unfixed: true exit-code: "1" skip-dirs: "docs/" - name: Run Trivy scanner (license) uses: aquasecurity/trivy-action@v0.36.0 if: always() with: scan-type: fs scan-ref: . scanners: license severity: UNKNOWN,HIGH,CRITICAL format: table skip-dirs: "docs/"
What changed
- Run on Latchkey managed runners with one line (
runs-on), which apply the fixes below automatically and self-heal transient failures. This example useslatchkey-small; pick the runner size that fits the job. - Cancel superseded runs when a branch or PR gets a newer push.
- Add a job timeout so a hung step cannot burn hours of runner time.
2 third-party actions are referenced by a movable tag. Pin them to the commit SHA (Latchkey resolves and applies this automatically) so a repointed tag cannot change what runs.
This workflow runs 4 jobs per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.