Summary
Add govulncheck to the CI pipeline to scan for known vulnerabilities in Go dependencies.
Context
Issue #15 identified that replicator has no security scanning CI step. The canonical reference (unbound-force/unbound-force) runs OSV-Scanner and Trivy source scans via ci_security.yml. At minimum, replicator should run govulncheck as part of CI.
Once a security scan check is present, the release preflight (being added in #15) can be extended to verify it passed before allowing a release.
Acceptance Criteria
References
Summary
Add
govulncheckto the CI pipeline to scan for known vulnerabilities in Go dependencies.Context
Issue #15 identified that replicator has no security scanning CI step. The canonical reference (
unbound-force/unbound-force) runs OSV-Scanner and Trivy source scans viaci_security.yml. At minimum, replicator should rungovulncheckas part of CI.Once a security scan check is present, the release preflight (being added in #15) can be extended to verify it passed before allowing a release.
Acceptance Criteria
govulncheckstep to CI (either inci.ymlor a newci_security.yml)govulncheckfinds known vulnerabilities in dependenciesReferences
unbound-force/unbound-force/.github/workflows/ci_security.ymlgovulncheckunder CI flags and linter configuration