ci: add govulncheck action

A govulncheck action with inline annotations and summary table.
SARIF report uploaded on internal PRs and main to feed scan results
into GitHub UI.

Co-authored-by: Vic Kerr <wiktor.kerr@ionos.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

Author: 4 people

.github/workflows/govulncheck.yml

@@ -0,0 +1,101 @@
+name: govulncheck
+on:
+  pull_request: {}
+  push:
+    branches: [ "main" ]
+    tags: [ "v*" ]
+
+jobs:
+  scan:
+    runs-on: ubuntu-latest # govulncheck OOMs on ubuntu-slim
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        with:
+          go-version-file: go.mod
+      - name: govulncheck
+        run: go tool govulncheck -format sarif ./... >govulncheck.sarif
+      - name: Annotate and summarise findings
+        if: always()
+        run: |
+          if ! jq -e '.runs[0].results' govulncheck.sarif >/dev/null 2>&1; then
+            echo '## govulncheck: no valid SARIF output produced' >>"$GITHUB_STEP_SUMMARY"
+            exit 1
+          fi
+          findings=$(jq -r '
+            ( .runs[0].tool.driver.rules | INDEX(.id) |
+              map_values({
+                cve: (.properties.tags // [] | unique | map(select(startswith("CVE"))) | join(", ")),
+                desc: .fullDescription.text
+              })
+            ) as $rules |
+            .runs[0].results[] |
+            . as $r |
+            (if $r.level == "warning" then "warning"
+             elif $r.level == "note" then "notice"
+             else "error" end) as $sev |
+            ($rules[$r.ruleId] // {cve:"",desc:""}) as $rule |
+            if ($r.codeFlows | length) > 0 then
+              $r.codeFlows[].threadFlows[0].locations |
+              map(select(.location.physicalLocation.artifactLocation.uriBaseId == "%SRCROOT%")) |
+              .[0].location.physicalLocation |
+              [$sev, .artifactLocation.uri, (.region.startLine // 1 | tostring), $r.ruleId, $rule.cve, $rule.desc, $r.message.text] | @tsv
+            else
+              $r.locations[0].physicalLocation |
+              [$sev, .artifactLocation.uri, (.region.startLine // 1 | tostring), $r.ruleId, $rule.cve, $rule.desc, $r.message.text] | @tsv
+            end
+          ' govulncheck.sarif)
+          esc() {
+            local v=$1
+            v=${v//'%'/'%25'}
+            v=${v//$'\r'/'%0D'}
+            v=${v//$'\n'/'%0A'}
+            [ -z "$2" ] && v=${v//':'/'%3A'}
+            [ -z "$2" ] && v=${v//','/'%2C'}
+            printf '%s' "$v"
+          }
+          if [ -n "$findings" ]; then
+            while IFS=$'\t' read -r sev file line ruleid cve desc msg; do
+              echo "::$(esc "$sev") file=$(esc "$file"),line=$(esc "$line"),title=$(esc "$ruleid")::$(esc "$msg" 1)"
+            done <<< "$findings"
+            vulns=$(awk -F'\t' '!seen[$4]++' <<< "$findings")
+            count=$(awk 'END{print NR}' <<< "$vulns")
+            {
+              echo "## govulncheck: $count vulnerability finding(s)"
+              echo '| ID | CVE | Location | Severity | Details |'
+              echo '|----|-----|----------|----------|---------|'
+              while IFS=$'\t' read -r sev file line ruleid cve desc msg; do
+                echo "| [${ruleid}](https://pkg.go.dev/vuln/${ruleid}) ${desc} | ${cve} | ${file}:${line} | ${sev} | ${msg} |"
+              done <<< "$vulns"
+            } >>"$GITHUB_STEP_SUMMARY"
+          else
+            echo '## govulncheck: no vulnerabilities found' >>"$GITHUB_STEP_SUMMARY"
+          fi
+          [ -n "$findings" ] && exit 1 || exit 0
+      - if: always()
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: govulncheck.sarif
+          path: govulncheck.sarif
+
+  upload-sarif:
+    needs: scan
+    if: always() && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository)
+    runs-on: ubuntu-slim
+    permissions:
+      security-events: write
+    steps:
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          name: govulncheck.sarif
+      - name: Fix duplicate SARIF tags
+        run: |
+          jq '.runs[].tool.driver.rules |= map(if .properties != null and .properties.tags != null then .properties.tags |= unique else . end)' \
+            govulncheck.sarif >govulncheck-fixed.sarif
+      - uses: github/codeql-action/upload-sarif@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5
+        with:
+          sarif_file: govulncheck-fixed.sarif

Makefile

@@ -155,6 +155,9 @@ verify-gen: generate manifests mockgen ## Verify go generated files and CRDs are
 		echo "generated files are out of date, run make generate and/or make mockgen"; exit 1; \
 	fi
 
+.PHONY: govulncheck
+govulncheck: ## Run govulncheck to check for known vulnerabilities in the code.
+	go tool govulncheck ./...
 
 ##@ Deployment
 

go.mod

@@ -49,6 +49,7 @@ tool (
 	github.com/onsi/ginkgo/v2/ginkgo
 	github.com/vektra/mockery/v2
 	golang.org/x/tools/cmd/goimports
+	golang.org/x/vuln/cmd/govulncheck
 	k8s.io/code-generator/cmd/conversion-gen
 	sigs.k8s.io/controller-runtime/tools/setup-envtest
 	sigs.k8s.io/controller-tools/cmd/controller-gen
@@ -340,6 +341,7 @@ require (
 	golang.org/x/term v0.43.0 // indirect
 	golang.org/x/text v0.37.0 // indirect
 	golang.org/x/time v0.11.0 // indirect
+	golang.org/x/vuln v1.3.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.5.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20260128011058-8636f8732409 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20260128011058-8636f8732409 // indirect

go.sum

@@ -353,6 +353,8 @@ github.com/google/cel-go v0.23.2 h1:UdEe3CvQh3Nv+E/j9r1Y//WO0K0cSyD7/y0bzyLIMI4=
 github.com/google/cel-go v0.23.2/go.mod h1:52Pb6QsDbC5kvgxvZhiL9QX1oZEkcUF/ZqaPx1J5Wwo=
 github.com/google/gnostic-models v0.6.9 h1:MU/8wDLif2qCXZmzncUQ/BOfxWfthHi63KqpoNbWqVw=
 github.com/google/gnostic-models v0.6.9/go.mod h1:CiWsm0s6BSQd1hRn8/QmxqB6BesYcbSZxsz9b0KuDBw=
+github.com/google/go-cmdtest v0.4.1-0.20220921163831-55ab3332a786 h1:rcv+Ippz6RAtvaGgKxc+8FQIpxHgsF+HBzPyYL2cyVU=
+github.com/google/go-cmdtest v0.4.1-0.20220921163831-55ab3332a786/go.mod h1:apVn/GCasLZUVpAJ6oWAuyP7Ne7CEsQbTnc0plM3m+o=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
@@ -376,6 +378,7 @@ github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OI
 github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
 github.com/google/pprof v0.0.0-20260402051712-545e8a4df936 h1:EwtI+Al+DeppwYX2oXJCETMO23COyaKGP6fHVpkpWpg=
 github.com/google/pprof v0.0.0-20260402051712-545e8a4df936/go.mod h1:MxpfABSjhmINe3F1It9d+8exIHFvUqtLIRCdOGNXqiI=
+github.com/google/renameio v0.1.0 h1:GOZbcHa3HfsPKPlmyPyN2KEohoMXOhdMbHrvbpl2QaA=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4=
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ=
@@ -1019,6 +1022,8 @@ golang.org/x/tools/go/expect v0.1.1-deprecated h1:jpBZDwmgPhXsKZC6WhL20P4b/wmnps
 golang.org/x/tools/go/expect v0.1.1-deprecated/go.mod h1:eihoPOH+FgIqa3FpoTwguz/bVUSGBlGQU67vpBeOrBY=
 golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated h1:1h2MnaIAIXISqTFKdENegdpAgUXz6NrPEsbIeWaBRvM=
 golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated/go.mod h1:RVAQXBGNv1ib0J382/DPCRS/BPnsGebyM1Gj5VSDpG8=
+golang.org/x/vuln v1.3.0 h1:hZYzR8uRhYhDSX88d+40TWbKAVw7BIvRWm26rtEn8jw=
+golang.org/x/vuln v1.3.0/go.mod h1:MIY2PaR1y52stzZM3uHBboUAdVJvSVMl5nP3OQrwQaE=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=