ci(go): add govulncheck CVE gate — fix #45 (SAFE)#54
Merged
Conversation
Add a go-cve job to tests.yml that installs govulncheck@v1.1.4 and runs it against the Go module. The job is non-blocking (continue-on-error: true) until the stdlib vulns introduced by go1.26.0 are patched (requires bumping go/go.mod past go1.26.4 and golang.org/x/net@v0.55.0). Previously the gate was blind because no govulncheck step existed in CI. The CI already used go-version: 1.26.0 matching go/go.mod so no toolchain directive change was needed. govulncheck@latest (v1.4.0) was pinned to v1.1.4 to avoid a panic in x/tools@v0.46.0 on generic types. Local run result: 18 real CVEs found in go1.26 stdlib (GO-2026-4599 through GO-2026-5039) plus golang.org/x/net@v0.53.0 (GO-2026-5026). Gate is active and reporting real findings. Closes SAFE/govulncheck part of #45.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
go-cvejob to.github/workflows/tests.ymlthat installsgovulncheck@v1.1.4and runsgovulncheck ./...against the Go modulev1.1.4(not@latestwhich isv1.4.0) —v1.4.0panics on generic types viax/tools@v0.46.0(#panic inForEachElement)continue-on-error: trueuntil the downstream Go version is bumped (see below); findings are real and trackedRoot cause of blindness: No
govulncheckstep existed in CI at all. The CI already usedgo-version: '1.26.0'matchinggo/go.mod, so no toolchain directive change was needed.govulncheck result (local, govulncheck@v1.1.4 + go1.26.0):
18 vulnerabilities found — all in
go1.26stdlib (fixed ingo1.26.1–go1.26.4) plusgolang.org/x/net@v0.53.0(GO-2026-5026, fixed inv0.55.0). The gate is no longer blind; it's reporting real findings.To make this gate blocking: bump
go/go.modtogo 1.26.4andgolang.org/x/nettov0.55.0, then removecontinue-on-error: true.Test plan
go-cvejob appears in CI run for this PRgo,go-lint,python, etc.) pass unaffectedCloses #45 (SAFE / govulncheck sub-task only — does not touch PR #17 or any dependabot PRs)