Go Security Scan Workflow Example

This guide shows how to configure HenKaiPan security scans for a Go project.

1. Create an API Token

Follow the GitHub Actions Setup Guide to create an API token and add it as a GitHub Secret.

2. Add the Workflow

Create .github/workflows/security.yml in your repository:

name: Go Security Scan

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Set up Go
        uses: actions/setup-go@v5
        with:
          go-version: "1.22"
          cache: true

      - name: Download dependencies
        run: go mod download

      - name: Run HenKaiPan Security Scan
        uses: dyallab/henkaipan-action@v1
        with:
          api-url: ${{ secrets.HENKAIPAN_API_URL }}
          api-key: ${{ secrets.HENKAIPAN_API_KEY }}
          project-id: ${{ secrets.HENKAIPAN_PROJECT_ID }}
          scanners: "semgrep,trivy,gitleaks"
          fail-on-severity: high

What Gets Scanned

Configuration Tips

Fast SAST Scan (no dependency check)

scanners: semgrep
fail-on-severity: medium

Full Scan (SAST + SCA + secrets)

scanners: all
fail-on-severity: high

Using Go workspaces

- name: Set up Go
  uses: actions/setup-go@v5
  with:
    go-version: "1.22"
    cache: true
- name: Set up workspace
  run: go work use ./...

Excluding Files

Add a .semgrepignore file to exclude paths from scanning:

vendor/
bin/
dist/
*.test.go
*_test.go
.go/

Using Private Modules

If your project uses private Go modules, configure authentication before scanning:

- name: Configure git
  run: |
    git config --global url."https://${{ secrets.GH_TOKEN }}@github.com/".insteadOf "https://github.com/"

Then run the scan after go mod download.

CI/CD Variables Reference

See Also

• GitHub Actions Setup
• GitLab CI Setup
• Jenkins Setup
• Docker Scan