Skip to content

Add govulncheck job to lint workflow and fix matrix job result syntax #6435

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
mohammedfirdouss wants to merge 5 commits into
base: master
Choose a base branch
from
Open

Add govulncheck job to lint workflow and fix matrix job result syntax #6435

mohammedfirdouss wants to merge 5 commits into from

Conversation

@mohammedfirdouss
Copy link
Contributor

@mohammedfirdouss mohammedfirdouss commented Jan 15, 2026
edited
Loading

Issue

#6409

What was addressed

The PR adds two security features:

  1. Dependabot configuration — automatically checks for dependency updates
  2. govulncheck integration — scans Go code for known vulnerabilities

How it works

  1. Dependabot (.github/dependabot.yml)

• Scans Go modules and npm packages weekly
• Monitors multiple directories (root, plugins, tools, web, docs)
• Creates PRs when updates are available
• Limits open PRs to 5 per ecosystem to avoid spam

  1. govulncheck (.github/workflows/lint.yaml)

• Runs automatically on every PR and push
• Scans all Go modules in the repository
• Uses a matrix strategy to check each module separately
• Fails the CI if vulnerabilities are found
• Includes a completion job (govulncheck-completed) for branch protection rules

Testing

mohammedfirdouss#1 - see this dependabot that automatically checks for dependency updates in my repo and updates what is necessary then opens a PR.
Check out how the workflow file also catches vulnerabilities, the screenshots show evidences that this would work. I am open to reviews and suggestions.

cc: @khanhtc1202 @eeshaanSA @Warashi @ffjlabo

Screenshot Capture - 2026-01-19 - 11-47-05 Screenshot Capture - 2026-01-19 - 11-48-06 Screenshot Capture - 2026-01-19 - 11-52-28 Screenshot Capture - 2026-01-19 - 11-36-11 Screenshot Capture - 2026-01-19 - 11-36-20 Screenshot Capture - 2026-01-19 - 11-46-47

@mohammedfirdouss
feat: add dependabot configuration for gomod updates
1f11737 
Signed-off-by: Mohammed Firdous <mohammedfirdousaraoye@gmail.com>
@mohammedfirdouss mohammedfirdouss requested a review from a team as a code owner January 15, 2026 14:42
@mohammedfirdouss
Add govulncheck job to lint workflow and fix matrix job result syntax
148b5a3 
Signed-off-by: Mohammed Firdous <124298708+mohammedfirdouss@users.noreply.github.com>
@mohammedfirdouss mohammedfirdouss force-pushed the feat/add-dependabot-govulncheck branch from c15d4e1 to 148b5a3 Compare January 15, 2026 14:44
Copilot AI reviewed Jan 15, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

Ayushmore1214
Ayushmore1214 reviewed Jan 16, 2026
View reviewed changes
Copy link
Contributor

@Ayushmore1214 Ayushmore1214 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adding go module caching would be better for faster CI runs WDYT @mohammedfirdouss ?

@mohammedfirdouss
Merge branch 'master' into feat/add-dependabot-govulncheck
6639de4
@mohammedfirdouss
test CI workflow for govulncheck
b61d096 
Signed-off-by: Mohammed Firdous <124298708+mohammedfirdouss@users.noreply.github.com>
@mohammedfirdouss
update setup-go action version and improve message formatting
1f81585 
Signed-off-by: Mohammed Firdous <124298708+mohammedfirdouss@users.noreply.github.com>
@mohammedfirdouss
Copy link
Contributor Author

mohammedfirdouss commented Jan 19, 2026

Adding go module caching would be better for faster CI runs WDYT @mohammedfirdouss ?

Hmm, I think this is a good idea.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@Warashi Warashi Awaiting requested review from Warashi Warashi is a code owner automatically assigned from pipe-cd/pipecd-approvers

@khanhtc1202 khanhtc1202 Awaiting requested review from khanhtc1202 khanhtc1202 is a code owner automatically assigned from pipe-cd/pipecd-approvers

@ffjlabo ffjlabo Awaiting requested review from ffjlabo ffjlabo is a code owner automatically assigned from pipe-cd/pipecd-approvers

+1 more reviewer

@Ayushmore1214 Ayushmore1214 Ayushmore1214 left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

area/build area/ci

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mohammedfirdouss @Ayushmore1214 @eeshaanSA