Add support for sonatype nancy vulnerability scanning

[Parship999]

Which Issue this PR solving?

• Resolves [Feat/Security] Add support for sonatype-nexus-community/nancy #99

Changes Made

• Files Modified
  • .github/workflows/ci.yaml
  • .nancy-ignore (New file)
  • README.md

Security Tools Implemented

• Nancy by sonatype
  • Scans all Go dependencie against sonatype OSS Index
  • comprehensive vulnerability database coverage
  • provides detail CVE information and CVSS scores
• govulncheck (official Go tool)
  • uses call graph analysis to reduce false positives
  • only reports vulnerabilities in actually-used code paths

How It Works

• Runs on every push to master and release branches
• Runs on every pull request
• generates dependency list using go list -json -deps
• scans dependencies with both tools
• fails build if vulnerabilities are found

Testing Results

• Tested locally on current codebase

Why use Nancy + govulncheck Together?

• think of it like this:
  • Nancy checks everything , it looks through all your project’s dependencies and flags known vulnerabilities, even the ones you're not using directly.
  • govulncheck goes deeper, it checks your actual code to see if you’re really using anything dangerous.

Together, they arre the perfect combo

[Parship999]

@furykerry @FillZpp @hantmac I have fixed the vulnerability scan check. To pass it i have updated the go version, that's why the golangci lint is failing.

[kruise-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: hantmac

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [hantmac]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[Parship999]

Thanks