Commit 112fa50
committed
ci: run govulncheck via official action with SARIF upload
Replace the bespoke govulncheck wrapper (a custom JSON parser plus a
homegrown allowlist file in its own .github Go module) with the
official golang/govulncheck-action emitting SARIF to GitHub code
scanning — the same model CodeQL and Semgrep already use here.
New-vs-baseline gating and suppression are now handled natively by the
code-scanning platform (dismiss with a reason in the Security tab,
audited) instead of a checked-in allowlist parsed by custom code, which
was a maintenance and security-control bypass surface. Build-tag
coverage for agent (docker) and ssh (internal_api) is forwarded via
GOFLAGS. Drops ~600 lines of bespoke Go, its tests, the extra go.mod,
and .govulncheck-allow.txt.1 parent 684c016 commit 112fa50
10 files changed
Lines changed: 0 additions & 693 deletions
File tree
- .github
- govulncheck
- cmd
- testdata
This file was deleted.
This file was deleted.
This file was deleted.
This file was deleted.
0 commit comments