googleforgames
Should we add `govulncheck` to CI?
Though I guess that would make it non-hermetic.
Originally posted by @zmerlynn in https://github.com/googleforgames/agones/pull/2841#issuecomment-1335296321
Looks kind this came out in September: https://go.dev/blog/vuln, which is awesome - I was looking for a tool like this for ages.
I would be pro incorporating it into CI. I personally like that security issues break CI. They make it a high priority to fix it immediately, before work can continue.
CI is already non-hermetic, since we also check things like 404 links, etc.
One area of concern is, reading https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
There is no support for silencing vulnerability findings.
Sometimes there are vulnerabilities that are valid, but there are no fixes for at this time. We may want to wait until there is a mechanism for exceptions in reporting (unless we roll or own?)
Nice note to add govulncheck, should I implement it inside a PR?
Maybe govulncheck could scan it as a daily task, at the right time, and be able to create issues automatically
Nice note to add govulncheck, should I implement it inside a PR?
As long as we can do exceptions if we need to - that would be my opinion.
One thought I had, we could do govulncheck -json to provide output - I wonder if we use something like jq to be able to provide exceptions to specific security advisories?
https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security#what-are-dependabot-updates
'This issue is marked as Stale due to inactivity for more than 30 days. To avoid being marked as 'stale' please add 'awaiting-maintainer' label or add a comment. Thank you for your contributions '
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
I wrote this, and I think we don't need to do this, since we have dependabot - so closing as wontfix.