From a7e1c95f2127b1791d96857d3234df9e823daefe Mon Sep 17 00:00:00 2001
From: Jonathan Knight <jk@thegridman.com>
Date: Sun, 11 May 2025 12:38:06 +0300
Subject: [PATCH] Use govulncheck to scan the runner binary

---
 .github/workflows/trivy.yaml |  3 ++-
 hack/golang/govulncheck.sh   | 11 +++++++++++
 2 files changed, 13 insertions(+), 1 deletion(-)
 create mode 100644 hack/golang/govulncheck.sh

diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml
index 9e9a7aa9..18b78fe5 100644
--- a/.github/workflows/trivy.yaml
+++ b/.github/workflows/trivy.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022, 2024, Oracle Corporation and/or its affiliates.  All rights reserved.
+# Copyright 2022, 2025, Oracle Corporation and/or its affiliates.  All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at
 # http://oss.oracle.com/licenses/upl.
 
@@ -81,6 +81,7 @@ jobs:
     - name: Image Scan
       shell: bash
       run:  |
+        sh ./hack/golang/govulncheck.sh
         echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u $ --password-stdin
         export TRIVY_CACHE=$GITHUB_WORKSPACE/.cache/trivy
         make trivy-scan
diff --git a/hack/golang/govulncheck.sh b/hack/golang/govulncheck.sh
new file mode 100644
index 00000000..552b88d2
--- /dev/null
+++ b/hack/golang/govulncheck.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+#
+# Copyright (c) 2020, 2025, Oracle and/or its affiliates.
+# Licensed under the Universal Permissive License v 1.0 as shown at
+# http://oss.oracle.com/licenses/upl.
+#
+
+
+go install golang.org/x/vuln/cmd/govulncheck@latest
+make runner
+govulncheck -mode binary -show traces,version,verbose  ./bin/runner