action.yaml

@@ -50,3 +50,8 @@ runs:
     - name: "run security checks"
       shell: bash
       run:  ${{ github.action_path }}/src/security.sh
+      env:
+        STATIC_FLAG: ${{ inputs.static }}
+        STATIC_FAIL: ${{ inputs.static-fail }}
+        VULN_CHECK: ${{ inputs.vulnerability }}
+        VULN_FAIL: ${{ inputs.vulnerability-fail }}

src/security.sh

@@ -2,13 +2,19 @@
 
 set -eo pipefail
 
-if [[ "$STATIC_FLAG" == "no" && "$VULN_SCAN" == "no" ]]; then
+if [[ "$STATIC_FLAG" == "no" && "$VULN_CHECK" == "no" ]]; then
     echo "[INFO] no security flags set, skipping!";
     exit 0;
 fi
 
+toolchain=$(go mod edit go.mod -json | jq ".Toolchain");
+version=$(go mod edit -json | jq ".Toolchain");
+if [[ ! -z "$toolchain" ]]; then
+    version=$toolchain;
+fi
+
 if [[ "$STATIC_FLAG" == "yes" ]]; then
-    if gosec ./...; then
+    if GOTOOLCHAIN=$version gosec ./...; then
         echo "[INFO] gosec passed!";
     else
         if [[ "$STATIC_FAIL" == "yes" ]]; then
@@ -21,7 +27,7 @@ if [[ "$STATIC_FLAG" == "yes" ]]; then
 fi
 
 if [[ "$VULN_CHECK" == "yes" ]]; then
-    if govulncheck ./...; then
+    if GOTOOLCHAIN=$version govulncheck ./...; then
         echo "[INFO] govulncheck passed!";
     else
         if [[ "$VULN_FAIL" == "yes" ]]; then