Add govulncheck to CI for vulnerability scanning

[uloamaka]

• This PR adds a standalone vuln_check job to the CI workflow that runs govulncheck ./... against the codebase on every push request to catch known CVEs in Go dependencies before they ship.

Why continue-on-error flag:

• Setting continue-on-error: true adds visibility into vulnerabilities without blocking merges while the project remains on Go 1.24. Once the project bumps to Go 1.25, continue-on-error can be removed and the job becomes a hard gate.

FIX: #884

Summary by CodeRabbit

• Chores
  • Enhanced automated security scanning to verify dependencies for known vulnerabilities during the development process.

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR adds a new vuln_check job to the GitHub Actions Go CI workflow. The job sets up Go 1.24, checks out the repository, and runs govulncheck to scan dependencies for known vulnerabilities. It is configured to continue on error with a 5-minute timeout.

Changes

Vulnerability Check Job

Layer / File(s)	Summary
Workflow Configuration .github/workflows/go.yml	New vuln_check job added that runs govulncheck against Go dependencies with Go 1.24, checkout step, continue-on-error: true, and timeout-minutes: 5.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	The PR fulfills all coding objectives from issue #884: integrates govulncheck into CI, uses the exact command specified, and implements it as a standalone job in the workflow.
Out of Scope Changes check	✅ Passed	All changes are directly related to implementing govulncheck vulnerability scanning; no unrelated modifications to other parts of the codebase.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check	✅ Passed	The title clearly and accurately summarizes the main change: adding govulncheck to CI for vulnerability scanning, which matches the PR's primary objective.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/go.yml (1)

3-14: ⚡ Quick win

Consider adding a scheduled trigger for proactive vulnerability detection.

Currently, govulncheck only runs when Go files or dependencies change. Vulnerability databases are updated independently as new CVEs are disclosed, so unchanged dependencies can become vulnerable between code changes.

Adding a scheduled trigger (e.g., weekly) would proactively detect newly disclosed vulnerabilities in your dependency tree, which is especially valuable for long-lived branches or between releases.

📅 Example: Add weekly scheduled scan

 on:
   push:
     branches: [main]
     paths:
       - '**.go'
       - 'go.mod'
       - 'go.sum'
   pull_request:
     paths:
       - '**.go'
       - 'go.mod'
       - 'go.sum'
+  schedule:
+    # Run vulnerability check every Monday at 09:00 UTC
+    - cron: '0 9 * * 1'

Note: Scheduled runs ignore the paths filter and will run the entire workflow, but continue-on-error: true ensures only visibility without blocking.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/go.yml around lines 3 - 14, The workflow currently
triggers govulncheck only on push/pull_request with a paths filter; add a weekly
scheduled trigger by adding an on: schedule entry (e.g., cron: '0 0 * * 0' for
weekly) so the workflow runs proactively, and ensure the govulncheck job/step
(the job that runs govulncheck) is marked continue-on-error: true so scheduled
runs report but do not block CI; keep the existing push/pull_request triggers
and paths filter intact (scheduled runs will ignore paths).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/go.yml:
- Line 161: In the vuln_check GitHub Actions job remove the "check-latest: true"
setting so the job uses the same pinned Go release as other jobs; ensure
vuln_check includes the same "go-version: '1.24'" and "cache: true" keys as
fmt/lint/test/test-race (or explicitly set "check-latest: false" if you prefer
keeping the key) to avoid version skew when running vulnerability scans.

---

Nitpick comments:
In @.github/workflows/go.yml:
- Around line 3-14: The workflow currently triggers govulncheck only on
push/pull_request with a paths filter; add a weekly scheduled trigger by adding
an on: schedule entry (e.g., cron: '0 0 * * 0' for weekly) so the workflow runs
proactively, and ensure the govulncheck job/step (the job that runs govulncheck)
is marked continue-on-error: true so scheduled runs report but do not block CI;
keep the existing push/pull_request triggers and paths filter intact (scheduled
runs will ignore paths).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 2a9a5b54-21bb-4e63-8f09-8a99cd1477d0

📥 Commits

Reviewing files that changed from the base of the PR and between f89f0fd and 6ebbabb.

📒 Files selected for processing (1)

• .github/workflows/go.yml

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Remove check-latest: true for version consistency across jobs.

The vuln_check job is the only one using check-latest: true, while other jobs (fmt, lint, test, test-race) use go-version: '1.24' with cache: true only. This can create version skew where vulnerability scanning runs on Go 1.24.x (latest patch) while tests run on Go 1.24.y (cached version).

For accurate vulnerability assessment, scan the same Go version used in tests and production.

🔧 Proposed fix to align with other jobs

       - name: Install Go
         uses: actions/setup-go@v5
         with:
           go-version: '1.24'
           cache: true
-          check-latest: true

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	check-latest: true
	- name: Install Go
	uses: actions/setup-go@v5
	with:
	go-version: '1.24'
	cache: true

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/go.yml at line 161, In the vuln_check GitHub Actions job
remove the "check-latest: true" setting so the job uses the same pinned Go
release as other jobs; ensure vuln_check includes the same "go-version: '1.24'"
and "cache: true" keys as fmt/lint/test/test-race (or explicitly set
"check-latest: false" if you prefer keeping the key) to avoid version skew when
running vulnerability scans.