Compare commits

...

4 Commits

Author SHA1 Message Date
Jim Chen
df68a20f2a
Merge 6c7a318468ce708b91c1afbf4a32e493d65fab22 into 5e5ff3ace496a31b138b0820136a146bfb5de0ef 2025-11-06 21:00:13 +08:00
Bo-Yi Wu
5e5ff3ace4
ci: replace vulnerability scanning workflow with Trivy integration (#4421)
- Remove the vulnerability-scanning job from the gin workflow
- Add a dedicated Trivy security scan workflow with scheduled, push, pull request, and manual triggers
- Improve Trivy scan output by uploading SARIF results to the GitHub Security tab and logging table output

Signed-off-by: Bo-Yi Wu <appleboy.tw@gmail.com>
2025-11-06 14:15:50 +08:00
jimchen
6c7a318468 fix: fix URL path value still unescaped when UnescapePathValues set false 2024-08-21 09:45:05 +08:00
jimchen
bf6728e53b fix: fix URL path value still unescaped when UnescapePathValues set false
Closes #4033
2024-08-20 18:12:40 +08:00
4 changed files with 60 additions and 19 deletions

View File

@ -81,19 +81,3 @@ jobs:
uses: codecov/codecov-action@v5
with:
flags: ${{ matrix.os }},go-${{ matrix.go }},${{ matrix.test-tags }}
vulnerability-scanning:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
with:
fetch-depth: 0
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@0.33.1
with:
scan-type: "fs"
ignore-unfixed: true
format: "table"
exit-code: "1"
severity: "CRITICAL,HIGH,MEDIUM"

57
.github/workflows/trivy-scan.yml vendored Normal file
View File

@ -0,0 +1,57 @@
name: Trivy Security Scan
on:
push:
branches:
- master
pull_request:
branches:
- master
schedule:
# Run every 3 months (quarterly) on the 1st day at 00:00 UTC
# Months: January (1), April (4), July (7), October (10)
- cron: '0 0 1 1,4,7,10 *'
workflow_dispatch: # Allow manual trigger
permissions:
contents: read
security-events: write # Required for uploading SARIF results
jobs:
trivy-scan:
name: Trivy Security Scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v5
with:
fetch-depth: 0
- name: Run Trivy vulnerability scanner (source code)
uses: aquasecurity/trivy-action@0.33.1
with:
scan-type: 'fs'
scan-ref: '.'
scanners: 'vuln,secret,misconfig'
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH,MEDIUM'
ignore-unfixed: true
- name: Upload Trivy results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: 'trivy-results.sarif'
- name: Run Trivy scanner (table output for logs)
uses: aquasecurity/trivy-action@0.33.1
if: always()
with:
scan-type: 'fs'
scan-ref: '.'
scanners: 'vuln,secret,misconfig'
format: 'table'
severity: 'CRITICAL,HIGH,MEDIUM'
ignore-unfixed: true
exit-code: '1'

4
gin.go
View File

@ -662,8 +662,8 @@ func (engine *Engine) handleHTTPRequest(c *Context) {
httpMethod := c.Request.Method
rPath := c.Request.URL.Path
unescape := false
if engine.UseRawPath && len(c.Request.URL.RawPath) > 0 {
rPath = c.Request.URL.RawPath
if engine.UseRawPath {
rPath = c.Request.URL.EscapedPath()
unescape = engine.UnescapePathValues
}

View File

@ -270,7 +270,7 @@ func LoggerWithConfig(conf LoggerConfig) HandlerFunc {
return func(c *Context) {
// Start timer
start := time.Now()
path := c.Request.URL.Path
path := c.Request.URL.EscapedPath()
raw := c.Request.URL.RawQuery
// Process request