kubernetes · jaehnri · Jan 1, 2023 · Jan 1, 2023 · Jan 1, 2023 · Jan 1, 2023
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -187,12 +187,62 @@ jobs:
             ingress-controller/controller-chroot:1.0.0-dev \
             | pigz > docker.tar.gz
 
+          # pigz needs write permission to zip the scannable binary  
+          sudo chown -R $USER:$USER /home/runner/work/ingress-nginx
+          pigz rootfs/bin/amd64/scannable-nginx-ingress-controller
+
       - name: cache
         uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1
         with:
           name: docker.tar.gz
           path: docker.tar.gz
 
+      - name: Upload scannable binary
+        uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1
+        with:
+          name: scannable-nginx-ingress-controller.gz
+          path: rootfs/bin/amd64/scannable-nginx-ingress-controller.gz
+
+  govulncheck:
+    name: govulncheck
+    runs-on: ubuntu-latest
+    needs:
+      - changes
+      - build
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
+
+      - name: Download binary
+        uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # v3.0.1
+        with:
+          name: scannable-nginx-ingress-controller.gz
+
+      - name: Unzip binary
+        run: |
+          echo "loading ingress binary file..."
+          pigz -d scannable-nginx-ingress-controller.gz
+
+      - name: Scan for Vulnerabilities in Code
+        uses: Templum/[email protected]
+        with:
+          go-version: 1.19
+          vulncheck-version: latest
+          skip-upload: true
+          package: scannable-nginx-ingress-controller
+          fail-on-vuln: false
+
+      - uses: geekyeggo/delete-artifact@54ab544f12cdb7b71613a16a2b5a37a9ade990af # v2.0.0
+        with:
+          name: scannable-nginx-ingress-controller.gz
+          failOnError: false
+
+      - name: Upload SARIF report
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: govulncheck-report.sarif
+
   helm:
     name: Helm chart
     runs-on: ubuntu-latest

diff --git a/build/build.sh b/build/build.sh
@@ -57,6 +57,16 @@ ${GO_BUILD_CMD} \
   -buildvcs=false \
   -o "${TARGETS_DIR}/nginx-ingress-controller" "${PKG}/cmd/nginx"
 
+echo "Building ${PKG}/cmd/nginx with Go's symbol table"
+
+${GO_BUILD_CMD} \
+  -trimpath -ldflags="-buildid= -w \
+  -X ${PKG}/version.RELEASE=${TAG} \
+  -X ${PKG}/version.COMMIT=${COMMIT_SHA} \
+  -X ${PKG}/version.REPO=${REPO_INFO}" \
+  -buildvcs=false \
+  -o "${TARGETS_DIR}/scannable-nginx-ingress-controller" "${PKG}/cmd/nginx"
+
 echo "Building ${PKG}/cmd/dbg"
 
 ${GO_BUILD_CMD} \