chore: check vulnerabilities with custom action (codeready-toolchain#687)

xcoulon · web-flow · commit c6505a79c1cd · 2025-07-03T08:54:17.000+02:00
support exclusions

Signed-off-by: Xavier Coulon &lt;xcoulon@redhat.com&gt;
diff --git a/.github/workflows/govulncheck.yml b/.github/workflows/govulncheck.yml
@@ -19,8 +19,8 @@ jobs:
         go-version-file: go.mod
 
     - name: Run govulncheck
-      uses: golang/govulncheck-action@v1
+      uses: codeready-toolchain/toolchain-cicd/govulncheck-action@master
       with:
-        go-version-input: ${{ steps.install-go.outputs.go-version }}
-        go-package: ./...
-        repo-checkout: false
+        go-version-file: go.mod
+        cache: false
+        config: .govulncheck.yaml
diff --git a/.govulncheck.yaml b/.govulncheck.yaml
@@ -0,0 +1,19 @@
+ignored-vulnerabilities:
+  # Request smuggling due to acceptance of invalid chunked data in net/http
+  # Found in Found in: net/http/internal@go1.22.12
+  # Fixed in Fixed in: net/http/internal@go1.23.8
+  - id: GO-2025-3563
+    info: https://pkg.go.dev/vuln/GO-2025-3563
+    silence-until: 2025-08-01
+  # Inconsistent handling of O_CREATE|O_EXCL on Unix and Windows in os in syscall
+  # Found in Found in: os@go1.22.12
+  # Fixed in Fixed in: os@go1.23.10
+  - id: GO-2025-3750
+    info: https://pkg.go.dev/vuln/GO-2025-3750
+    silence-until: 2025-08-01
+  # Sensitive headers not cleared on cross-origin redirect in net/http
+  # Found in Found in: net/http@go1.22.12
+  # Fixed in Fixed in: net/http@go1.23.10
+  - id: GO-2025-3751
+    info: https://pkg.go.dev/vuln/GO-2025-3751
+    silence-until: 2025-08-01
