Skip to content

Commit 112fa50

Browse files
committed
ci: run govulncheck via official action with SARIF upload
Replace the bespoke govulncheck wrapper (a custom JSON parser plus a homegrown allowlist file in its own .github Go module) with the official golang/govulncheck-action emitting SARIF to GitHub code scanning — the same model CodeQL and Semgrep already use here. New-vs-baseline gating and suppression are now handled natively by the code-scanning platform (dismiss with a reason in the Security tab, audited) instead of a checked-in allowlist parsed by custom code, which was a maintenance and security-control bypass surface. Build-tag coverage for agent (docker) and ssh (internal_api) is forwarded via GOFLAGS. Drops ~600 lines of bespoke Go, its tests, the extra go.mod, and .govulncheck-allow.txt.
1 parent 684c016 commit 112fa50

10 files changed

Lines changed: 0 additions & 693 deletions

File tree

.github/go.mod

Lines changed: 0 additions & 11 deletions
This file was deleted.

.github/go.sum

Lines changed: 0 additions & 10 deletions
This file was deleted.

.github/govulncheck/cmd/main.go

Lines changed: 0 additions & 27 deletions
This file was deleted.

.github/govulncheck/govulncheck.go

Lines changed: 0 additions & 284 deletions
This file was deleted.

0 commit comments

Comments
 (0)