From 979334c6b395da50f4982a0b4f6b643fa64a1f36 Mon Sep 17 00:00:00 2001 From: Manas Srivastava Date: Thu, 21 May 2026 22:26:26 +0530 Subject: [PATCH 1/3] ci: Tier 1 OSS security scanners MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adds GitHub-native + free OSS vulnerability scanners. All tools are 100% free for public repos — no API keys, no external accounts, no metered billing surface. - CodeQL with security-extended query suite (SQL injection, XSS, SSRF, log injection, path traversal, race conditions) - Dependabot for gomod + github-actions (grouped security + version PRs) - govulncheck (reachability-filtered CVE scan; Go-specific) - OSV-Scanner (cross-ecosystem CVE scan against OSV.dev) Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/dependabot.yml | 31 +++++++++++++++++++++++++++++ .github/workflows/codeql.yml | 33 +++++++++++++++++++++++++++++++ .github/workflows/govulncheck.yml | 25 +++++++++++++++++++++++ .github/workflows/osv-scanner.yml | 22 +++++++++++++++++++++ 4 files changed, 111 insertions(+) create mode 100644 .github/dependabot.yml create mode 100644 .github/workflows/codeql.yml create mode 100644 .github/workflows/govulncheck.yml create mode 100644 .github/workflows/osv-scanner.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..73992aa --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,31 @@ +version: 2 +updates: + - package-ecosystem: gomod + directory: "/" + schedule: + interval: weekly + day: monday + time: "06:00" + timezone: Etc/UTC + open-pull-requests-limit: 5 + groups: + gomod-security: + applies-to: security-updates + patterns: + - "*" + gomod-minor-patch: + applies-to: version-updates + update-types: + - minor + - patch + + - package-ecosystem: github-actions + directory: "/" + schedule: + interval: weekly + day: monday + open-pull-requests-limit: 3 + groups: + actions: + patterns: + - "*" diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..2cdb7ba --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,33 @@ +name: CodeQL + +on: + push: + branches: [master, main] + pull_request: + branches: [master, main] + schedule: + - cron: '17 6 * * 1' + +permissions: + actions: read + contents: read + security-events: write + +jobs: + analyze: + name: Analyze (Go) + runs-on: ubuntu-latest + timeout-minutes: 30 + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-go@v5 + with: + go-version-file: go.mod + - uses: github/codeql-action/init@v3 + with: + languages: go + queries: security-extended + - run: go build ./... + - uses: github/codeql-action/analyze@v3 + with: + category: "/language:go" diff --git a/.github/workflows/govulncheck.yml b/.github/workflows/govulncheck.yml new file mode 100644 index 0000000..942dd8e --- /dev/null +++ b/.github/workflows/govulncheck.yml @@ -0,0 +1,25 @@ +name: govulncheck + +on: + push: + branches: [master, main] + pull_request: + branches: [master, main] + schedule: + - cron: '0 6 * * *' + +permissions: + contents: read + +jobs: + govulncheck: + runs-on: ubuntu-latest + timeout-minutes: 15 + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-go@v5 + with: + go-version-file: go.mod + check-latest: true + - run: go install golang.org/x/vuln/cmd/govulncheck@latest + - run: govulncheck ./... diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml new file mode 100644 index 0000000..89d7540 --- /dev/null +++ b/.github/workflows/osv-scanner.yml @@ -0,0 +1,22 @@ +name: OSV-Scanner + +on: + push: + branches: [master, main] + pull_request: + branches: [master, main] + schedule: + - cron: '0 6 * * *' + +permissions: + actions: read + contents: read + security-events: write + +jobs: + scan: + uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v2.0.1 + permissions: + actions: read + contents: read + security-events: write From d37c8e53473e5fba3a922e5a4b8ee47ad44d69f1 Mon Sep 17 00:00:00 2001 From: Manas Srivastava Date: Thu, 21 May 2026 22:36:48 +0530 Subject: [PATCH 2/3] ci: scanner workflows clone sibling common + proto repos The Tier 1 CodeQL + govulncheck workflows failed on PR #128 because this repo uses `replace instant.dev/common => ../common` and `replace instant.dev/proto => ../proto` in go.mod. The scanners checked out only api, so the sibling paths didn't resolve and the `go build ./...` step exited 1. Fix: each workflow now checks out api into ./api, plus clones public sibling repos InstaNode-dev/common and InstaNode-dev/proto. go build runs in api/, which can now resolve the replace targets. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/codeql.yml | 21 ++++++++++++++++++--- .github/workflows/govulncheck.yml | 20 +++++++++++++++++--- 2 files changed, 35 insertions(+), 6 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 2cdb7ba..c63ca5e 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -19,15 +19,30 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 30 steps: - - uses: actions/checkout@v4 + - name: Checkout this repo + uses: actions/checkout@v4 + with: + path: api + - name: Checkout sibling InstaNode-dev/common + uses: actions/checkout@v4 + with: + repository: InstaNode-dev/common + path: common + - name: Checkout sibling InstaNode-dev/proto + uses: actions/checkout@v4 + with: + repository: InstaNode-dev/proto + path: proto - uses: actions/setup-go@v5 with: - go-version-file: go.mod + go-version-file: api/go.mod - uses: github/codeql-action/init@v3 with: languages: go queries: security-extended - - run: go build ./... + - name: Build + working-directory: api + run: go build ./... - uses: github/codeql-action/analyze@v3 with: category: "/language:go" diff --git a/.github/workflows/govulncheck.yml b/.github/workflows/govulncheck.yml index 942dd8e..02073b3 100644 --- a/.github/workflows/govulncheck.yml +++ b/.github/workflows/govulncheck.yml @@ -16,10 +16,24 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 15 steps: - - uses: actions/checkout@v4 + - name: Checkout this repo + uses: actions/checkout@v4 + with: + path: api + - name: Checkout sibling InstaNode-dev/common + uses: actions/checkout@v4 + with: + repository: InstaNode-dev/common + path: common + - name: Checkout sibling InstaNode-dev/proto + uses: actions/checkout@v4 + with: + repository: InstaNode-dev/proto + path: proto - uses: actions/setup-go@v5 with: - go-version-file: go.mod + go-version-file: api/go.mod check-latest: true - run: go install golang.org/x/vuln/cmd/govulncheck@latest - - run: govulncheck ./... + - working-directory: api + run: govulncheck ./... From ef541b1868ca11a13420fcc65ab5bb5bcebf2d90 Mon Sep 17 00:00:00 2001 From: Manas Srivastava Date: Thu, 21 May 2026 22:47:08 +0530 Subject: [PATCH 3/3] =?UTF-8?q?chore(go):=20bump=20toolchain=20to=201.25.1?= =?UTF-8?q?0=20=E2=80=94=20fixes=205=20reachable=20stdlib=20CVEs?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit govulncheck on PR #128 flagged five Go-stdlib vulnerabilities reachable from production code paths: - GO-2026-4971 net.Dialer panic on NUL byte (Windows) - GO-2026-4977 mail.ParseAddress edge cases - GO-2026-4980 html/template unsafe contexts - GO-2026-4982 html/template execute panic - GO-2026-4986 mail.ParseAddress overflow All fixed in Go 1.25.9–1.25.10. Bumping toolchain closes the reachability paths flagged by govulncheck. Also merges any in-flight master commits onto the scanner-install branch so PR #128 reflects current master state. Co-Authored-By: Claude Opus 4.7 (1M context) --- go.mod | 2 ++ 1 file changed, 2 insertions(+) diff --git a/go.mod b/go.mod index f447663..0cd368c 100644 --- a/go.mod +++ b/go.mod @@ -2,6 +2,8 @@ module instant.dev go 1.25.0 +toolchain go1.25.10 + require ( github.com/DATA-DOG/go-sqlmock v1.5.2 github.com/alicebob/miniredis/v2 v2.37.0