mongodb · matthewdale · Jul 25, 2025 · Jul 24, 2025
@@ -647,6 +647,14 @@ tasks:
           binary: bash
           args: [*task-runner, check-fmt, check-license, check-modules, lint]
 
+  - name: govulncheck
+    tags: ["static-analysis"]
+    commands:
+      - command: subprocess.exec
+        params:
+          binary: bash
+          args: [*task-runner, govulncheck]
+
   - name: pull-request-helpers
     allowed_requesters: ["patch", "github_pr"]
     commands:

@@ -83,6 +83,8 @@ tasks:
       - GOOS=linux GOARCH=ppc64le etc/golangci-lint.sh
       - GOOS=linux GOARCH=s390x etc/golangci-lint.sh
 
+  govulncheck: bash etc/govulncheck.sh
+
   update-notices: bash etc/generate_notices.pl > THIRD-PARTY-NOTICES
 
   ### Local testing tasks. ###

@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+set -ex
+
+# Use a specific Go version so that local govulncheck results are consistent
+# with CI results.
+#
+# Note: this needs to be updated if the listed Go version has vulnerabilities
+# discovered because they will show up in the scan results along with Go Driver
+# and dependency vulnerabilities.
+GO_VERSION=1.24.5
+
+go install golang.org/dl/go$GO_VERSION@latest
+go${GO_VERSION} download
+go install golang.org/x/vuln/cmd/govulncheck@latest
+
+# govulncheck uses the Go binary it finds from the PATH, so modify PATH to point
+# to the Go version we just downloaded.
+PATH="$(go${GO_VERSION} env GOROOT)/bin:$PATH" govulncheck -show verbose ./...