name: Run Gosec
on:
  pull_request:
  push:
    branches:
      - main

jobs:
  Gosec:
    runs-on: ubuntu-latest
    env:
      GO111MODULE: on
    steps:
      - name: Checkout Source
        uses: actions/checkout@v3
      - name: Get Diff
        uses: technote-space/get-diff-action@v6.1.0
        with:
          PATTERNS: |
            **/*.go
            go.mod
            go.sum
      - name: Run Gosec Security Scanner
        uses: informalsystems/gosec@master
        with:
          # we let the report trigger content trigger a failure using the GitHub Security features.
          args: '-no-fail -fmt sarif -out results.sarif ./...'
        if: "env.GIT_DIFF_FILTERED != ''"
      - name: Upload SARIF file
        uses: github/codeql-action/upload-sarif@v2
        with:
          # Path to SARIF file relative to the root of the repository
          sarif_file: results.sarif
        if: "env.GIT_DIFF_FILTERED != ''"