Merge pull request #220 from arnested/govulncheck

Add security checks and hardening

Author: arnested

.github/workflows/build.yml

@@ -6,7 +6,7 @@ permissions:
 jobs:
   go-version:
     name: Lookup go versions
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     outputs:
       minimal: ${{ steps.go-version.outputs.minimal }}
       matrix: ${{ steps.go-version.outputs.matrix }}
@@ -17,7 +17,7 @@ jobs:
   go_generate:
     name: Check generated code is up to date
     needs: go-version
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     env:
       workdir: go/src/${{ github.repository }}
     steps:

.github/workflows/codeql-analysis.yml

@@ -16,7 +16,7 @@ permissions:
 jobs:
   analyse:
     name: Analyse
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
 
     steps:
     - name: Checkout repository

.github/workflows/dependency-review.yml

@@ -6,7 +6,7 @@ permissions:
 
 jobs:
   dependency-review:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       - name: 'Checkout Repository'
         uses: actions/checkout@v3

.github/workflows/docker-image-security-scan.yml

@@ -7,7 +7,7 @@ jobs:
   security-scan:
     name: Docker build and scan
     if: '!github.event.deleted'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
     - uses: actions/checkout@v3
     - name: Set up Docker Buildx

.github/workflows/lint.yml

@@ -7,7 +7,7 @@ permissions:
 jobs:
   dockerfile:
     name: dockerfile
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       - uses: actions/checkout@v3
       - name: Run hadolint
@@ -17,15 +17,15 @@ jobs:
 
   markdownlint:
     name: markdown
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
     - uses: actions/checkout@v3
     - name: Run markdownlint
       uses: DavidAnson/markdownlint-cli2-action@v11
 
   golangci:
     name: lint
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       - uses: actions/checkout@v3
       - uses: arnested/go-version-action@v1

.github/workflows/release.yml

@@ -13,7 +13,7 @@ permissions:
   actions: read
 jobs:
   bump-version:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
     - uses: actions/checkout@v3
       with:
@@ -86,7 +86,7 @@ jobs:
         message: "Released `${{ github.repository }}`@`${{ github.sha }}` as ${{ steps.version.outputs.tag }}: *${{ job.status }}*."
   docker-build:
     name: Docker build and push
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
     - uses: actions/checkout@v3
     - name: Set up Docker Buildx

.github/workflows/security.yml

@@ -0,0 +1,41 @@
+name: Security Checks
+on:
+  pull_request:
+    branches: [main]
+  push:
+    branches: [main]
+  schedule:
+    - cron: '0 15 * * 0'
+
+permissions:
+  contents: read
+  actions: read
+  pull-requests: read
+  security-events: write
+
+jobs:
+  gosec:
+    name: Golang Security Checker
+    runs-on: ubuntu-22.04
+    env:
+      GO111MODULE: on
+    steps:
+      - name: Checkout Source
+        uses: actions/checkout@v3
+      - name: Run Gosec Security Scanner
+        uses: securego/gosec@master
+        with:
+          args: '-no-fail -fmt sarif -out results.sarif -tests ./...'
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          # Path to SARIF file relative to the root of the repository
+          sarif_file: results.sarif
+  govulncheck:
+    name: Govulncheck
+    runs-on: ubuntu-22.04
+    steps:
+    - id: govulncheck
+      uses: golang/govulncheck-action@master
+      with:
+        go-version-file: go.mod

main.go

@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"net/http"
 	"os"
+	"time"
 
 	"github.com/elnormous/contenttype"
 )
@@ -20,10 +21,13 @@ func main() {
 		doHealthcheck(ctx)
 	}
 
-	addr := getAddr()
+	server := &http.Server{
+		Addr:              getAddr(),
+		ReadHeaderTimeout: 3 * time.Second,
+	}
 
 	http.HandleFunc("/", handler)
-	err := http.ListenAndServe(addr, nil)
+	err := server.ListenAndServe()
 	if err != nil {
 		fmt.Print(err)
 	}