govulncheck: run from a container

[xcoulon]

see changes for the govulncheck-action in codeready-toolchain/toolchain-cicd#159

Signed-off-by: Xavier Coulon xcoulon@redhat.com

Summary by CodeRabbit

• Chores
  • Security check workflow now relies on default tooling settings and enables debug output for improved visibility.
  • Updated vulnerability suppression dates and added two vulnerability entries to extend silence windows through early 2026.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Updated the govulncheck workflow to remove explicit Go version and caching inputs and enable debug; updated .govulncheck.yaml by extending silence-until dates and adding two ignored vulnerability entries (GO-2025-4155, GO-2025-4175).

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow Configuration ​.github/workflows/govulncheck.yml	Removed go-version-file: go.mod and cache: false inputs from the Run govulncheck step; added debug: true; kept config: .govulncheck.yaml. Action now relies on defaults for Go version and caching.
Govulncheck Ignore List / Manifest .govulncheck.yaml	Updated multiple silence-until dates from 2025-12-03 to 2026-01-09; added two ignored vulnerabilities GO-2025-4155 and GO-2025-4175 with silence-until: 2026-01-09. No API or exported symbol changes.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Review .govulncheck.yaml entries for correctness of IDs/dates.
• Verify enabling debug: true in the workflow is intentional and acceptable for CI logs.

Possibly related PRs

• postpone silence-until of go 1.22 vulnerabilities to 2025-10-01 #695 — also updates .govulncheck.yaml ignored-vulnerabilities silence-until dates.
• update .govulncheck.yaml #708 — adds/updates ignored-vulnerabilities entries in .govulncheck.yaml.

Suggested labels

lgtm

Suggested reviewers

• metlos
• jrosental
• alexeykazakov

Poem

🐰 Soft paws on code, I tweak the trail tonight,
Dates hop forward, quieted warnings take flight,
Debug lights switched on to catch a shy bug,
Two new names added — a careful little tug,
I nibble the chores and leave the pipeline bright.

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'govulncheck: run from a container' is vague and does not clearly reflect the actual changes made in the pull request, which involve updating workflow configuration and vulnerability silence dates.	Consider revising the title to be more specific about the actual changes, such as 'Update govulncheck workflow to use defaults and enable debug mode' or similar.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8ebc672 and a4d2144.

📒 Files selected for processing (1)

• .govulncheck.yaml (1 hunks)

🔇 Additional comments (2)

.govulncheck.yaml (2)

7-7: Verify plan to address silenced vulnerabilities by 2026-01-09.

All eight existing vulnerability silence-until dates have been extended to 2026-01-09, creating a ~30-day remediation window from the PR date. Confirm that:

1. This extension aligns with the related changes in govulncheck: run from a Container toolchain-cicd#159
2. There is a documented plan to upgrade Go dependencies or patch these vulnerabilities before the silence-until expiration
3. The team is aware these warnings will reappear on that date if not addressed

Also applies to: 13-13, 19-19, 25-25, 31-31, 37-37, 43-43, 49-49

---

50-61: Clarify the rationale for newly silenced vulnerabilities GO-2025-4155 and GO-2025-4175.

Two new vulnerabilities have been added to the ignore list, both in crypto/x509 with the same 2026-01-09 expiration. Provide context for:

1. Why these specific vulnerabilities are being silenced now
2. Whether they are already present in the codebase or are being preemptively silenced
3. How they relate to the govulncheck-action changes referenced in the PR description

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 82.53%. Comparing base (61ed5ca) to head (a4d2144).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #714   +/-   ##
=======================================
  Coverage   82.53%   82.53%           
=======================================
  Files          48       48           
  Lines        3596     3596           
=======================================
  Hits         2968     2968           
  Misses        477      477           
  Partials      151      151           

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: alexeykazakov, MatousJobanek, xcoulon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [MatousJobanek,alexeykazakov,xcoulon]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment