ci: add Go vulnerability scanning with govulncheck and gosec

[giwaov]

Summary

Adds a Go vulnerability scanning CI workflow that integrates govulncheck and gosec into the pipeline, as requested in #65.

Changes

New: .github/workflows/go-vuln-scan.yml

Two parallel jobs:

govulncheck (official Go vulnerability database)

• Checks all Go dependencies against the Go vulnerability database
• Fails the build if any known vulnerability affects the project

gosec (static security analysis)

• Scans Go source for high-severity security anti-patterns
• Filters to high severity + medium confidence to reduce noise
• Excludes generated code

Triggers

• On PRs that touch .go, go.mod, or go.sum files
• On pushes to main with the same path filter
• Weekly scheduled run (Monday 08:00 UTC) to catch newly disclosed CVEs

Modified: CHANGELOG.md

• Added entry under ## Unreleased / ### Added

Design Decisions

• Path filtering: only triggers on Go-related file changes to avoid unnecessary runs
• Weekly schedule: catches vulnerabilities disclosed after the last code change
• gosec severity filter: -severity high -confidence medium avoids noisy low-confidence findings while catching real issues
• Excludes generated code: -exclude-generated skips protobuf/mock files

Closes #65

[coderabbitai]

Walkthrough

A new GitHub Actions workflow is introduced for automated Go vulnerability scanning. The workflow triggers on pushes to main, pull requests affecting Go source files and dependency files, and runs weekly. Two independent security scanning jobs execute: govulncheck for dependency vulnerability detection and gosec for code security pattern analysis. The CHANGELOG.md is updated to document the new feature.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and concisely summarizes the main change: adding Go vulnerability scanning with govulncheck and gosec to the CI pipeline.
Description check	✅ Passed	The description is clearly related to the changeset, providing detailed context about the workflow implementation, design decisions, and why it was added.
Linked Issues check	✅ Passed	The PR successfully implements all core requirements from issue #65: integrates govulncheck and gosec into CI, fails on high-severity findings, uses path filtering to avoid unnecessary runs, and includes a weekly scheduled scan to catch newly disclosed CVEs.
Out of Scope Changes check	✅ Passed	All changes directly support the objectives from issue #65: the workflow configuration adds the requested vulnerability scanning tools, and the CHANGELOG.md update documents the new feature appropriately.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/go-vuln-scan.yml (1)

3-18: Consider adding workflow_dispatch for manual triggering.

Adding workflow_dispatch allows manually re-running the scan after fixing vulnerabilities or when investigating a newly disclosed CVE without waiting for the scheduled run.

💡 Suggested enhancement

 on:
   push:
     branches:
       - main
     paths:
       - "**.go"
       - "go.mod"
       - "go.sum"
   pull_request:
     paths:
       - "**.go"
       - "go.mod"
       - "go.sum"
   schedule:
     # Run weekly on Monday at 08:00 UTC to catch newly disclosed vulnerabilities
     - cron: "0 8 * * 1"
+  workflow_dispatch:

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/go-vuln-scan.yml around lines 3 - 18, Add a manual trigger
to the GitHub Actions workflow by including workflow_dispatch under the
top-level on: triggers (alongside push, pull_request, and schedule) so the
go-vuln-scan job can be run on-demand; update the on: block that currently
contains push, pull_request, and schedule to also list workflow_dispatch so
maintainers can manually trigger scans without waiting for the scheduled cron
run.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/go-vuln-scan.yml:
- Around line 3-18: Add a manual trigger to the GitHub Actions workflow by
including workflow_dispatch under the top-level on: triggers (alongside push,
pull_request, and schedule) so the go-vuln-scan job can be run on-demand; update
the on: block that currently contains push, pull_request, and schedule to also
list workflow_dispatch so maintainers can manually trigger scans without waiting
for the scheduled cron run.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ed7bb0a1-e0d0-4c24-9201-a6115708b41d

📥 Commits

Reviewing files that changed from the base of the PR and between 5c894a6 and d950e1d.

📒 Files selected for processing (2)

• .github/workflows/go-vuln-scan.yml
• CHANGELOG.md

[Copilot]

Pull request overview

Adds automated Go security scanning to the CI pipeline to detect known dependency vulnerabilities and common security anti-patterns, addressing #65.

Changes:

• Introduces a new GitHub Actions workflow running govulncheck and gosec in parallel.
• Configures workflow triggers for PRs/pushes touching Go-related files plus a weekly scheduled run.
• Updates CHANGELOG.md under Unreleased → Added to document the new CI check.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
.github/workflows/go-vuln-scan.yml	Adds a Go vulnerability scanning workflow with govulncheck + gosec jobs and scheduled execution.
CHANGELOG.md	Documents the addition of the Go vulnerability scanning workflow.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The workflow pins the gosec action to securego/gosec@master, which is a moving target and can introduce supply-chain risk and non-reproducible CI behavior. Pin this to a tagged release or (preferably) a specific commit SHA, and consider using Dependabot to keep it updated.

Suggested change

	uses: securego/gosec@master
	uses: securego/gosec@v2.21.0

[Copilot]

Installing govulncheck with @latest makes the CI run non-reproducible and can cause unexpected failures when upstream releases change behavior. Prefer pinning to a specific govulncheck version (or a known-good commit) and updating it intentionally.

Suggested change

	run: go install golang.org/x/vuln/cmd/govulncheck@latest
	run: go install golang.org/x/vuln/cmd/govulncheck@v1.1.0

[giwaov]

Hi @jhelison — friendly ping! This PR is ready for review whenever you have a moment. All CI checks are passing. Happy to address any feedback. Thanks!

[giwaov]

Hey @Thaleszh, would love to get your eyes on this when you have a moment. Thanks!