Skip to content

ci: add govulncheck workflow#2487

Open
kotakanbe wants to merge 3 commits intomasterfrom
ci-govulncheck
Open

ci: add govulncheck workflow#2487
kotakanbe wants to merge 3 commits intomasterfrom
ci-govulncheck

Conversation

@kotakanbe
Copy link
Member

@kotakanbe kotakanbe commented Mar 24, 2026

Summary

  • Add govulncheck CI workflow to detect known vulnerabilities in dependencies
  • Runs on PRs, master pushes, tag pushes, and weekly (Monday 9:00 UTC)
  • Uses golang/govulncheck-action@v1.0.4 with SHA pinning

Motivation

Vuls is a vulnerability scanner, but its own dependencies are not scanned for known CVEs in CI. This closes that gap.

Test plan

  • Workflow runs successfully on this PR
  • govulncheck reports no known vulnerabilities (or identifies actionable ones)

🤖 Generated with Claude Code

Copilot AI reviewed Mar 24, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a dedicated GitHub Actions workflow to run Go’s govulncheck in CI, so the project’s Go module dependencies are continuously scanned for known vulnerabilities alongside existing build/lint/test workflows.

Changes:

  • Introduces a govulncheck workflow triggered on PRs, master pushes, version tag pushes, and a weekly schedule.
  • Pins the checkout, setup-go, and golang/govulncheck-action actions by commit SHA.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

claude added 2 commits March 24, 2026 23:36
@claude
fix: let govulncheck-action handle checkout and Go setup internally
039e72c 
The action performs its own checkout and Go setup, so the explicit
steps caused a duplicate Authorization header error (HTTP 400).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@claude
fix: add GOEXPERIMENT=jsonv2 for govulncheck (required by trivy depen…
645feeb 
…dency)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
shino
shino reviewed Mar 25, 2026
View reviewed changes
.github/workflows/govulncheck.yml
with:
go-version-file: go.mod
- name: Run govulncheck
uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee # v1.0.4
Copy link
Collaborator

@shino shino Mar 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The commit is at 2024, very old in respect to GH workflows.
After that, a few nice changes included:

Using tagged commit is generally nice option, but may we prefer newer ones?

@shino
Copy link
Collaborator

shino commented Mar 25, 2026

@kotakanbe Can we remove codeql workflow? https://github.com/future-architect/vuls/blob/master/.github/workflows/codeql-analysis.yml
Or they are complementary ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@shino shino shino left review comments

Copilot code review Copilot Copilot left review comments

@MaineK00n MaineK00n Awaiting requested review from MaineK00n

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@kotakanbe @shino @claude