Closed samcoe closed 1 year ago
@mislav So there are two major difference from my understanding:
govulncheck
analyzes your codebase and only surfaces vulnerabilities that actually affect you, based on which functions in your code are transitively calling vulnerable functions.I mostly want to enable this side by side with dependabot
to see if one catches vulnerabilities that the other does not. Long term I can see us deciding to use just one or the other.
This PR adds an action for the new
govulncheck
tool to check for vulnerabilities in our dependencies.