Skip to content

govulncheck: run from a container #494

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
xcoulon merged 2 commits into from
Dec 11, 2025
Merged

govulncheck: run from a container #494

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
967fdf8
govulncheck: run from a container
xcoulon Dec 10, 2025
740ea5a
also, new vuln exclusions
xcoulon Dec 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 2 additions & 3 deletions .github/workflows/govulncheck.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,5 @@ jobs:
- name: Run govulncheck
uses: codeready-toolchain/toolchain-cicd/govulncheck-action@master
with:
go-version-file: go.mod
cache: false
config: .govulncheck.yaml
config: .govulncheck.yaml
debug: true # optional (default = false)
Comment on lines +19 to +20
Copy link

@coderabbitai coderabbitai bot Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟑 Minor

🧩 Analysis chain

🌐 Web query:

codeready-toolchain/toolchain-cicd govulncheck-action action.yml parameters

πŸ’‘ Result:

Here are the inputs (parameters) defined for the govulncheck GitHub Action (action.yml) and their defaults/meanings:

  • go-version-input: Version of Go to use for govulncheck (optional). [1][2]
  • check-latest: Whether to always check for the latest Go version satisfying the spec (optional, default: false). [1][2]
  • cache: Whether to enable Go caching (optional, default: true). [1][2]
  • cache-dependency-path: Path to dependency file used for cache (optional, default: '') (useful for monorepos). [2]
  • go-package (aka go-package / go-package): Package pattern to scan (optional, default: './...'). [1][2]
  • work-dir (work-dir / work-dir): Directory in which to run govulncheck (optional, default: '.'). [1][2]
  • repo-checkout: Whether to checkout the repository before running (optional, default: true). [1][2]
  • go-version-file: Path to go.mod or go.work file used to determine Go version (optional, default: ''). [1][2]
  • output-format: govulncheck output format ('text', 'json', 'sarif') (optional, default: 'text'). [2]
  • output-file: File to which govulncheck output is redirected (optional, default: ''). [2]
  • (other variants / forks) go-version / vulncheck-version / package / working-directory / github-token / fail-on-vuln / skip-upload β€” used by some community forks (defaults vary by fork). [3][5]

Sources:
[1] govulncheck-action action.yml (Go mirror).
[2] golang/govulncheck-action README (GitHub mirror).
[3] Templum/govulncheck-action README (community fork showing alternative input names).

🏁 Script executed:

# Fetch the action.yml file from the govulncheck-action repository
curl -s https://raw.githubusercontent.com/codeready-toolchain/toolchain-cicd/master/govulncheck-action/action.yml

Repository: codeready-toolchain/api

Length of output: 81

🏁 Script executed:

# Also check if README exists with parameter documentation
curl -s https://raw.githubusercontent.com/codeready-toolchain/toolchain-cicd/master/govulncheck-action/README.md | head -100

Repository: codeready-toolchain/api

Length of output: 1722

Remove the debug parameter and trailing whitespace on line 19.

The debug: true parameter is not documented in the codeready-toolchain/toolchain-cicd govulncheck-action and should be removed, as it appears to be an unsupported input. Line 19 also has a trailing space after .govulncheck.yaml that should be cleaned up. The config parameter is valid and correctly supported by this custom action.

πŸ€– Prompt for AI Agents 
.github/workflows/govulncheck.yml around lines 19-20: remove the unsupported
"debug: true" input and trim the trailing whitespace after ".govulncheck.yaml"
on the config line; leave the valid "config: .govulncheck.yaml" entry but ensure
there is no trailing space and delete the entire "debug: true" line so only
supported inputs remain.

31 changes: 16 additions & 15 deletions .govulncheck.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,25 +1,26 @@
ignored-vulnerabilities:
# Parsing DER payload can cause memory exhaustion in encoding/asn1
# Found in: encoding/asn1@go1.23.12
# Fixed in: encoding/asn1@go1.24.8
- id: GO-2025-4011
info: https://pkg.go.dev/vuln/GO-2025-4011
silence-until: 2025-12-03
# Insufficient validation of bracketed IPv6 hostnames in net/url
# Insufficient validation of bracketed IPv6 hostnames in net/url
# Found in: net/url@go1.23.12
# Fixed in: net/url@go1.24.8
- id: GO-2025-4010
info: https://pkg.go.dev/vuln/GO-2025-4010
silence-until: 2025-12-03
# Quadratic complexity when parsing some invalid inputs in encoding/pem
# Found in: encoding/pem@go1.23.12
# Fixed in: encoding/pem@go1.24.8
- id: GO-2025-4009
info: https://pkg.go.dev/vuln/GO-2025-4009
silence-until: 2025-12-03
silence-until: 2026-01-03
# Quadratic complexity when checking name constraints in crypto/x509
# Found in: crypto/x509@go1.23.12
# Fixed in: crypto/x509@go1.24.9
- id: GO-2025-4007
info: https://pkg.go.dev/vuln/GO-2025-4007
silence-until: 2025-12-03
silence-until: 2026-01-10
# Quadratic complexity when parsing some invalid inputs in encoding/pem
# Found in: encoding/pem@go1.23.12
# Fixed in: encoding/pem@go1.24.8
- id: GO-2025-4009
info: https://pkg.go.dev/vuln/GO-2025-4009
silence-until: 2026-01-10
# Parsing DER payload can cause memory exhaustion in encoding/asn1
# Found in: encoding/asn1@go1.23.12
# Fixed in: encoding/asn1@go1.24.8
- id: GO-2025-4011
info: https://pkg.go.dev/vuln/GO-2025-4011
silence-until: 2026-01-10

Loading