ci: add govulncheck workflow by solardome · Pull Request #3779 · redis/go-redis

solardome · 2026-04-15T19:53:27Z

This PR adds a dedicated GitHub Actions workflow to run govulncheck.

Why

govulncheck is the Go project's recommended tool for detecting known vulnerabilities in Go codebases
it provides a focused security signal that complements existing tests and linting
a scheduled run helps surface newly disclosed vulnerabilities even when no code changes occur

What is included

a new workflow: .github/workflows/govulncheck.yml
execution on:
- pull requests
- push
- a weekly schedule (Monday)
installation of govulncheck using a fixed version (no @latest) to keep builds reproducible
minimal permissions (contents: read)

Design choices

implemented as a separate workflow to avoid increasing complexity of the existing CI matrix
scans all Go modules in the repository (not only the root module)
collects results across modules instead of stopping on the first failure
explicitly fails if no Go modules are discovered
ensures govulncheck runs only after a successful directory change
uses go install instead of a separate action to avoid introducing additional dependencies
runs on Go 1.26.x, since the 1.25.x toolchain line currently produces findings from known vulnerabilities in the Go standard library/toolchain itself rather than repository-specific changes

Impact

no changes to existing workflows or release process
adds a lightweight and actionable security check aligned with Go ecosystem recommendations

Note

Low Risk
Low risk: adds a new CI security scanning workflow without changing application/runtime code; main impact is potential new CI failures and added pipeline time.

Overview
Adds a new GitHub Actions workflow, govulncheck, that runs on PRs, pushes, and a weekly schedule to scan the repo for known Go vulnerabilities.

The job installs a pinned govulncheck version on Go 1.26.x, scans all discovered go.mod modules (aggregating failures instead of stopping early), uses read-only permissions, and cancels in-progress runs for the same ref.

^{Reviewed by Cursor Bugbot for commit 4058e18. Bugbot is set up for automated code reviews on this repo. Configure here.}

jit-ci · 2026-04-15T19:53:38Z

Hi, I’m Jit, a friendly security platform designed to help developers build secure applications from day zero with an MVS (Minimal viable security) mindset.

In case there are security findings, they will be communicated to you as a comment inside the PR.

Hope you’ll enjoy using Jit.

Questions? Comments? Want to learn more? Get in touch with us.

Add a dedicated GitHub Actions workflow to run govulncheck. - scans all Go modules in the repository - collects results across modules instead of stopping on first failure - fails explicitly if no modules are discovered - ensures scans run only after successful directory change - uses a fixed govulncheck version for reproducibility - runs on Go 1.26.x to avoid failures caused by known vulnerabilities in older toolchains

cursor

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Reviewed by Cursor Bugbot for commit 3acc1d2. Configure here.}

solardome · 2026-04-15T21:36:41Z

All review comments addressed.

fixed multi-module scanning
ensured correct failure handling
removed Go 1.25.x due to toolchain vulnerabilities
simplified workflow to Go 1.26.x
updated PR description to match implementation

Ready for review.

solardome · 2026-04-16T06:25:05Z

One of the existing test jobs is currently failing outside the scope of this change as well - the same failure reproduces on master.
Job [test-redis-ce (8.0.x, oldstable)]
The govulncheck workflow itself is green / updated, and this failing test appears unrelated to this PR.

ofekshenawa · 2026-04-18T13:50:15Z

@solardome I'll check it, thanks.