Summary
Add govulncheck to the repository’s security checks so known Go vulnerabilities are detected in dependencies and reachable code paths.
Motivation
We currently rely on linting and tests, but we should also continuously scan for known vulnerabilities in Go modules and code usage. Integrating govulncheck improves baseline security posture and catches issues earlier in development.
Proposed changes
- Add a
make target for vulnerability scanning (for example: make vulncheck).
- Run
govulncheck against all modules/workspaces used by this repo.
- Add
govulncheck to CI so pull requests and/or main branch builds fail on detected vulnerabilities.
- Document local usage in existing developer docs (command, expected output, and failure behavior).
Acceptance criteria
- A reproducible local command exists to run vulnerability checks.
- CI executes
govulncheck on each relevant change.
- CI behavior is clearly defined (fail on findings).
- Developer documentation explains how to run and interpret results.
- Existing test/lint workflow remains green after integration.
Notes
- Keep implementation compatible with the repo’s multi-module/workspace setup (
go.work, root module, sdk/, workflow/).
Summary
Add
govulncheckto the repository’s security checks so known Go vulnerabilities are detected in dependencies and reachable code paths.Motivation
We currently rely on linting and tests, but we should also continuously scan for known vulnerabilities in Go modules and code usage. Integrating
govulncheckimproves baseline security posture and catches issues earlier in development.Proposed changes
maketarget for vulnerability scanning (for example:make vulncheck).govulncheckagainst all modules/workspaces used by this repo.govulncheckto CI so pull requests and/or main branch builds fail on detected vulnerabilities.Acceptance criteria
govulncheckon each relevant change.Notes
go.work, root module,sdk/,workflow/).