Skip to content

go: use govulncheck to detect security issues#2274

Merged
bendrucker merged 1 commit into
masterfrom
govulncheck
Mar 26, 2025
Merged

go: use govulncheck to detect security issues#2274
bendrucker merged 1 commit into
masterfrom
govulncheck

Conversation

@bendrucker

@bendrucker bendrucker commented Mar 25, 2025

Copy link
Copy Markdown
Member

Uses govulncheck to check each build for known Go vulnerabilities in the source.

Inspired by opentofu/opentofu#2600, this attempts to cut through the steady drip of noisy automated reports. Where most automated reports detect inclusion of a vulnerable dependency version via package manifests (go.mod, go.sum), govulncheck analyzes the source code for use of vulnerable symbols. This has a dramatically higher signal to noise ratio. Reports from govulncheck should often be actionable and require an advisory. Anything not reported is most likely noise and does not merit an advisory.

Uses the new go tool features in Go 1.24 to invoke the command.

@bendrucker bendrucker requested a review from wata727 March 25, 2025 18:49

@wata727 wata727 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice!

@bendrucker bendrucker merged commit e3f4155 into master Mar 26, 2025
@bendrucker bendrucker deleted the govulncheck branch March 26, 2025 18:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

2 participants