Add a workflow to auto-bump vulnerable dependencies#5437
Open
pietern wants to merge 4 commits into
Open
Conversation
Adds a daily workflow that upgrades the root module's dependencies flagged by govulncheck to their fixed versions and opens a PR. The tools/vulnbump command parses the scan JSON, applies the bumps via go get + go mod tidy, and renders the PR summary. Standard-library advisories are left to the Bump Go toolchain workflow. Co-authored-by: Isaac
Add govulncheck to the tools/go.mod tool directive and build it from there, so its version is managed alongside the other tools (and bumpable by dependabot) rather than hardcoded as @Version in the workflow. The vulnerability database is still fetched from vuln.go.dev at runtime, so the pinned binary scans against the latest advisories. Also point setup-go at tools/go.mod, the module this job compiles. Co-authored-by: Isaac
Use `go tool -modfile=tools/go.mod govulncheck`, matching the repo's GO_TOOL idiom in Taskfile.yml. -modfile resolves the pinned tool from tools/go.mod while it scans the root module (the working directory), so there's no need to build the binary first. Co-authored-by: Isaac
Tests run from the package directory, so the fixture can be read with os.ReadFile rather than //go:embed. Co-authored-by: Isaac
Collaborator
|
Commit: 9d6b347 |
renaudhartert-db
approved these changes
Jun 4, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds a daily workflow that upgrades the root module's dependencies flagged by
govulncheckto their fixed versions and opens a PR, alongside the existingBump Go toolchainworkflow.govulncheck -scan modulereports every advisory affecting a required module regardless of reachability, which is broader than trivy (GHSA-fed, so it lagsgolang.org/x/*advisories). The newtools/vulnbumpcommand consumes the scan's JSON, bumps each affected dependency to its highest fixed version viago get+go mod tidy, and renders the PR summary.Bump Go toolchainworkflow.govulncheckerror aborts the job rather than being mistaken for "no vulnerabilities".tools/go.mod(bumpable by dependabot); its database is fetched from https://vuln.go.dev at runtime, so scans still use the latest advisories.Parsing, version selection, and summary rendering live in
tools/vulnbumpwith unit and end-to-end tests.This pull request and its description were written by Isaac.