search

cli / go-gh

A Go module for interacting with gh and the GitHub API from the command line.
https://pkg.go.dev/github.com/cli/go-gh/v2
MIT License
322 stars 45 forks source link

Add govulncheck action #71

Closed samcoe closed 1 year ago

samcoe commented 1 year ago

This PR adds an action for the new govulncheck tool to check for vulnerabilities in our dependencies.

samcoe commented 1 year ago

@mislav So there are two major difference from my understanding:

  1. govulncheck analyzes your codebase and only surfaces vulnerabilities that actually affect you, based on which functions in your code are transitively calling vulnerable functions.
  2. It uses a different database of vulnerabilities to check against. I would guess that there is huge overlap between it and the dependabot one.

I mostly want to enable this side by side with dependabot to see if one catches vulnerabilities that the other does not. Long term I can see us deciding to use just one or the other.