Use govulncheck to scan the runner binary (#744)

thegridman · web-flow · commit 40f82120d7e6 · 2025-05-12T13:46:43.000+03:00
diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022, 2024, Oracle Corporation and/or its affiliates.  All rights reserved.
+# Copyright 2022, 2025, Oracle Corporation and/or its affiliates.  All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at
 # http://oss.oracle.com/licenses/upl.
 
@@ -81,6 +81,7 @@ jobs:
     - name: Image Scan
       shell: bash
       run:  |
+        sh ./hack/golang/govulncheck.sh
         echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u $ --password-stdin
         export TRIVY_CACHE=$GITHUB_WORKSPACE/.cache/trivy
         make trivy-scan
diff --git a/hack/golang/govulncheck.sh b/hack/golang/govulncheck.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+#
+# Copyright (c) 2020, 2025, Oracle and/or its affiliates.
+# Licensed under the Universal Permissive License v 1.0 as shown at
+# http://oss.oracle.com/licenses/upl.
+#
+
+
+go install golang.org/x/vuln/cmd/govulncheck@latest
+make runner
+govulncheck -mode binary -show traces,version,verbose  ./bin/runner
