From 1ba91858064392bde59f4fe6f9b18f2f5087cc2f Mon Sep 17 00:00:00 2001
From: Ties de Kock <ties@tiesdekock.nl>
Date: Tue, 4 Mar 2025 18:42:51 +0100
Subject: [PATCH] Add govulncheck to ci/cd

Add govulncheck, a conservative static analyzer that checks the
reachability of vulnerabilities.

This provides an upper bound on the actual vulnerabilities that
are applicable, and is lower-noise than generic checks that check
if a vulnerable library is used.
---
 .github/workflows/go.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
index f7b9bc9..f87644f 100644
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@@ -24,6 +24,12 @@ jobs:
       with:
         go-version-file: 'go.mod'
 
+    - id: govulncheck
+      uses: golang/govulncheck-action@v1
+      with:
+        go-version-file: 'go.mod'
+        go-package: ./...
+
     - name: Test & Vet
       run: make test vet