diff --git a/.evergreen/config.yml b/.evergreen/config.yml
index 05832906d1..c681d66c27 100644
--- a/.evergreen/config.yml
+++ b/.evergreen/config.yml
@@ -647,6 +647,14 @@ tasks:
           binary: bash
           args: [*task-runner, check-fmt, check-license, check-modules, lint]
 
+  - name: govulncheck
+    tags: ["static-analysis"]
+    commands:
+      - command: subprocess.exec
+        params:
+          binary: bash
+          args: [*task-runner, govulncheck]
+
   - name: pull-request-helpers
     allowed_requesters: ["patch", "github_pr"]
     commands:
diff --git a/Taskfile.yml b/Taskfile.yml
index 3473cb4981..2d6db5cf46 100644
--- a/Taskfile.yml
+++ b/Taskfile.yml
@@ -83,6 +83,8 @@ tasks:
       - GOOS=linux GOARCH=ppc64le etc/golangci-lint.sh
       - GOOS=linux GOARCH=s390x etc/golangci-lint.sh
 
+  govulncheck: bash etc/govulncheck.sh
+
   update-notices: bash etc/generate_notices.pl > THIRD-PARTY-NOTICES
 
   ### Local testing tasks. ###
diff --git a/etc/govulncheck.sh b/etc/govulncheck.sh
new file mode 100755
index 0000000000..055467d20a
--- /dev/null
+++ b/etc/govulncheck.sh
@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+set -ex
+
+# Use a specific Go version so that local govulncheck results are consistent
+# with CI results.
+#
+# Note: this needs to be updated if the listed Go version has vulnerabilities
+# discovered because they will show up in the scan results along with Go Driver
+# and dependency vulnerabilities.
+GO_VERSION=1.24.5
+
+go install golang.org/dl/go$GO_VERSION@latest
+go${GO_VERSION} download
+go install golang.org/x/vuln/cmd/govulncheck@latest
+
+# govulncheck uses the Go binary it finds from the PATH, so modify PATH to point
+# to the Go version we just downloaded.
+PATH="$(go${GO_VERSION} env GOROOT)/bin:$PATH" govulncheck -show verbose ./...