feat: add govulncheck to scan for security issues on PR #1026
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
calisio
requested review from
calisio and
corypride
and removed request for
CK-7vn
calisio
approved these changes
Oct 22, 2025
Contributor
calisio
left a comment
calisio
left a comment
There was a problem hiding this comment.
It seems like the one library that was updated was the crypto library, which after looking is only really used for provider platforms. Hard to check if that had any impact on how they work right now since we haven't used that feature in months/isn't super relevant right now, but something to be aware of if we pick it back up again.
Looks good and functions as expected right now though!
corypride
requested changes
Oct 27, 2025
Contributor
corypride
left a comment
corypride
left a comment
There was a problem hiding this comment.
Tests good! Solid implementation, curious about how it will fail currently, I think that it may be too strict as it is currently implemented, and wondering if it would be better if we failed on critical/high vulnerabilities only?
corypride
added a commit
that referenced
this pull request
Oct 27, 2025
- Create dedicated security-frontend.yml workflow for frontend dependency scanning - Scan for critical and high vulnerabilities only - Send Slack notifications when vulnerabilities are detected - Never block builds, only notify via webhook - Update ESLint workflow to remove duplicate security scanning - Follow gosec implementation pattern from PR #1026
corypride
approved these changes
Oct 28, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description of the change
Added automated Go vulnerability scanning to the CI/CD pipeline using the official govulncheck tool. This workflow runs on every pull request that modifies Go code or dependencies and blocks merges if vulnerabilities are detected. Currently there was only one library that needed to be updated along with upping the golang version to 1.23. Not bad.
This enhancement closes a major gap in our Dev Security Ops workflow by ensuring Go dependencies are continuously validated against the latest CVE data from the Go vulnerability database.
Implementation
Screenshot(s)
NA - only ci/cd changes
Additional context
Testing requires only navigating around the site making sure the program tracking pages load properly due to library update.