Skip to content

chore: add govulncheck security scanning to CI#32

Open
em-redhat wants to merge 2 commits into
unbound-force:mainfrom
em-redhat:opsx/ci-govulncheck
Open

chore: add govulncheck security scanning to CI#32
em-redhat wants to merge 2 commits into
unbound-force:mainfrom
em-redhat:opsx/ci-govulncheck

Conversation

@em-redhat

Copy link
Copy Markdown
Contributor

Summary

Add govulncheck security scanning to the CI pipeline, implementing issue #23.

Changes

  • .github/workflows/ci.yml: Add a Govulncheck step after Vet and before Test that runs govulncheck ./... to detect known vulnerabilities in Go dependencies
  • AGENTS.md: Document that the Build and Test CI check now includes govulncheck for vulnerability scanning
  • openspec/changes/ci-govulncheck/: Full OpenSpec change artifacts (proposal, design, spec, tasks)

Design Decisions

  • govulncheck is added as a step within the existing Build and Test job (not a separate workflow), so the release preflight needs no changes
  • Uses go install golang.org/x/vuln/cmd/govulncheck@latest to always get the most current vulnerability database
  • Call-graph-aware scanning means only vulnerabilities in reachable code paths cause failures

Verification

  • govulncheck ./... passes locally (0 vulnerabilities in call graph)
  • All existing tests pass (go test ./... -count=1 -race)
  • go vet ./... passes

Fixes #23

em-redhat added 2 commits July 7, 2026 13:07
- Add Govulncheck step to ci.yml (after Vet, before Test)
- Document govulncheck in AGENTS.md CI Parity Gate section
- Add OpenSpec change artifacts (proposal, design, spec, tasks)

Fixes unbound-force#23
The CI runner with go1.25.7 has 9 known stdlib vulnerabilities
(GO-2026-4601 through GO-2026-4918) that cause govulncheck to fail.
Updating to go1.25.11 resolves all of them.
@em-redhat em-redhat moved this to In Review 👀 in Unbound Force Planning Jul 7, 2026
@em-redhat em-redhat requested review from jflowers and sonupreetam July 7, 2026 12:18
@em-redhat em-redhat self-assigned this Jul 7, 2026
Comment thread .github/workflows/ci.yml

- name: Govulncheck
run: |
go install golang.org/x/vuln/cmd/govulncheck@latest

@sonupreetam sonupreetam Jul 13, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@em-redhat Minor. Consider pinning to a commit hash instead of @latest (reproducibility, supply chain hygiene). Will approve once its done.

@sonupreetam sonupreetam left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@em-redhat Do you think replicator should also adopt ci_security.yml with the org-infra reusable workflows (OSV-Scanner + Trivy + OpenSSF Scorecards) like the parent unbound-force/unbound-force repo does?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: In Review 👀

Development

Successfully merging this pull request may close these issues.

chore: add govulncheck security scanning to CI

2 participants