unknown block type: tool

[pfi79]

go 1.24.0

Failed to run code analysis (govulncheck) on '/github/workspace/go.mod' because govulncheck: loading packages: err: exit status 1: stderr: go: errors parsing go.mod:
go.mod:5: unknown block type: tool
(the Go toolchain is required)

go.mod

module ppp

go 1.24.0

tool (
	github.com/go-swagger/go-swagger/cmd/swagger
	github.com/hyperledger/fabric-lib-go/common/metrics/cmd/gendoc
	github.com/maxbrunsfeld/counterfeiter/v6
	github.com/onsi/ginkgo/v2/ginkgo
	github.com/vektra/mockery/v2

[another-rex]

What version of osv-scanner are you running? If it is v1 then it would have been built with go1.23 which wouldn't have support for this.

Can you try to install it with go install with go 1.24.0, or install the new osv-scanner v2 builds on github, which might solve this issue.

[pfi79]

I use

  osv-scanner:
    uses: "google/osv-scanner-action/.github/workflows/[email protected]"

if replaced

  osv-scanner:
    uses: "google/osv-scanner-action/.github/workflows/[email protected]"

I get an error:

error parsing called workflow
".github/workflows/vulnerability-scan.yml"
-> "google/osv-scanner-action/.github/workflows/[email protected]"
: failed to fetch workflow: reference to workflow should be either a valid branch, tag, or commit

[another-rex]

Ah I see you are using the github action. We haven't currently released the github action for v2 yet as it is still in beta, but you can try the main branch which should be pointed to the new beta v2 version.

  osv-scanner:
    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@main"