Merge pull request #442 from docker/chore/govulncheck

feat: govulncheck

Author: joe0BAB

.github/workflows/govulncheck.yml

@@ -0,0 +1,33 @@
+name: govulncheck
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+jobs:
+  check:
+    name: Check for known vulnerabilities that affect Go code
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      pull-requests: write
+      contents: write
+    steps:
+      - uses: actions/checkout@v5
+
+      - name: Hub login
+        uses: docker/login-action@v3
+        with:
+          username: ${{ vars.DOCKERBUILDBOT_USERNAME }}
+          password: ${{ secrets.DOCKERBUILDBOT_WRITE_PAT }}
+
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          driver: cloud
+          endpoint: "docker/secrets-engine"
+          install: true
+
+      - name: govulncheck
+        run: make BUILDER=${{ steps.buildx.outputs.name }} govulncheck

Dockerfile

@@ -77,6 +77,28 @@ RUN --mount=type=bind,target=.,ro \
     golangci-lint run -v $(go list -f '{{.Dir}}/...' -m | xargs)
 EOT
 
+FROM golang AS govulncheck
+RUN --mount=type=cache,target=/root/.cache/go-build \
+    --mount=type=cache,target=/go/pkg/mod \
+    --mount=type=tmpfs,target=/go/src/ \
+    go install "golang.org/x/vuln/cmd/govulncheck@latest" \
+    && govulncheck -version
+
+FROM golang AS do-govulncheck
+ARG TARGETARCH
+ARG GO_VERSION
+COPY --link --from=govulncheck /go/bin/govulncheck /go/bin/govulncheck
+WORKDIR /govulncheck
+ENV GOARCH=${TARGETARCH}
+ENV GOTOOLCHAIN=go${GO_VERSION}
+ENV PATH=/go/bin:$PATH
+RUN --mount=type=bind,target=.,ro <<EOT
+    set -euo pipefail
+    for dir in $(go list -f '{{.Dir}}' -m); do
+      (cd "$dir" && govulncheck -show=verbose ./...)
+    done
+EOT
+
 FROM golang AS gomodguard
 ARG GOMODGUARD_VERSION=v1.4.1
 RUN --mount=type=cache,target=/root/.cache/go-build \

Makefile

@@ -102,6 +102,10 @@ mod:
 	@go work sync
 	@go work vendor
 
+.PHONY: govulncheck
+govulncheck:
+	@docker buildx build $(DOCKER_BUILD_ARGS) --target=do-govulncheck --platform=linux/arm64,linux/amd64 .
+
 .PHONY: gomodguard
 gomodguard:
 	@docker buildx build $(DOCKER_BUILD_ARGS) --target=do-gomodguard .

go.work

@@ -1,4 +1,4 @@
-go 1.25.0
+go 1.25.6
 
 use (
 	./client