name: Run Gosec
on:
  pull_request:
    paths:
      - "**/*.go"
      - "go.mod"
      - "go.sum"
  push:
    branches:
      - main
    paths:
      - "**/*.go"
      - "go.mod"
      - "go.sum"

jobs:
  Gosec:
    permissions:
      security-events: write

    runs-on: ubuntu-latest
    env:
      GO111MODULE: on
    steps:
      - name: Checkout Source
        uses: actions/checkout@v4

      - name: Run Gosec Security Scanner
        uses: securego/gosec@master
        with:
          args: "-exclude=G101,G107 -exclude-generated -no-fail -fmt sarif -out results.sarif ./..."

      - name: Upload SARIF file
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: results.sarif