build: Add more security scanning.

.github/workflows/gosec.yml

@@ -0,0 +1,29 @@
+---
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+name: Run gosec
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  gosec_job:
+    runs-on: ubuntu-latest
+    name: Run gosec
+    steps:
+      - name: Checkout Source
+        uses: actions/checkout@v4
+
+      - name: Run Gosec Security Scanner
+        uses: securego/gosec@master
+        with:
+          args: ./...

.github/workflows/govulncheck.yml

@@ -0,0 +1,26 @@
+---
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+name: Run govulncheck
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  govulncheck_job:
+    runs-on: ubuntu-latest
+    name: Run govulncheck
+    steps:
+      - id: govulncheck
+        uses: golang/govulncheck-action@v1
+        with:
+          check-latest: true

.github/workflows/osv-scanner.yml

@@ -0,0 +1,27 @@
+---
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+name: Run govulncheck
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  osv_scanner_job:
+    runs-on: ubuntu-latest
+    name: Run osv-scanner
+    steps:
+      - name: Checkout Source
+        uses: actions/checkout@v4
+
+      - name: Check dependencies for security vulnerabilities
+        uses: g-rath/check-with-osv-detector@main

.github/workflows/trufflehog.yml

@@ -0,0 +1,33 @@
+---
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+name: TruffleHog Secrets Scan
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  trufflehog_job:
+    runs-on: ubuntu-latest
+    name: Run osv-scanner
+    steps:
+      - name: Checkout Source
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Check secrets with TruffleHog OSS
+        uses: trufflesecurity/trufflehog@main
+        with:
+          path: ./
+          head: HEAD
+          extra_args: --only-verified

Makefile

@@ -63,6 +63,7 @@ install-tools-go:
 	$(GO) install github.com/goph/licensei/cmd/licensei@latest
 	$(GO) install github.com/orlangure/gocovsh@latest
 	$(GO) install github.com/pelletier/go-toml/v2/cmd/tomljson@latest
+	$(GO) install github.com/securego/gosec/v2/cmd/gosec@latest
 	$(GO) install github.com/trufflesecurity/driftwood@latest
 	$(GO) install golang.org/x/perf/cmd/benchstat@latest
 	$(GO) install golang.org/x/tools/cmd/godoc@latest
@@ -213,6 +214,10 @@ vuln:
 	@ $(ECHO) "\033[1;33m=====> Running osv-scanner (https://osv.dev)...\033[0m"
 	osv-scanner -r .
 
+	@ $(ECHO) " "
+	@ $(ECHO) "\033[1;33m=====> Running gosec (https://github.com/securego/gosec)...\033[0m"
+	gosec -terse -tests ./...
+
 .PHONY: secrets
 ## secrets: [lint]* Checks for verifiable secrets.
 secrets:

corefunc/env_ensure_test.go

@@ -80,7 +80,7 @@ func BenchmarkEnvEnsure(b *testing.B) {
 		b.Run(name, func(b *testing.B) {
 			b.ResetTimer()
 			for i := 0; i < b.N; i++ {
-				EnvEnsure(tc.EnvVarName)
+				_ = EnvEnsure(tc.EnvVarName)
 			}
 		})
 	}
@@ -95,7 +95,7 @@ func BenchmarkEnvEnsureParallel(b *testing.B) {
 			b.ResetTimer()
 			b.RunParallel(func(pb *testing.PB) {
 				for pb.Next() {
-					EnvEnsure(tc.EnvVarName)
+					_ = EnvEnsure(tc.EnvVarName)
 				}
 			})
 		})

generator/main.go

@@ -129,7 +129,7 @@ func writeFileFromTemplate(varMap map[string]string, templatePath, writePath str
 
 	tmpl := newTemplate(templatePath)
 
-	f, err := os.Create(writePath) // lint:allow_possible_insecure
+	f, err := os.Create(writePath) // #nosec G304 -- lint:allow_possible_insecure
 	if err != nil {
 		panic(err)
 	}