add govulncheck for scanning vulnerabilities

Signed-off-by: Davanum Srinivas <[email protected]>

Author: dims

.github/workflows/govulncheck.yml

@@ -0,0 +1,142 @@
+# Copyright (c) 2025, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: Go Vulnerability Check
+
+on:
+  push:
+    branches:
+      - main
+      - "pull-request/[0-9]+"
+    paths-ignore:
+      - '**/*.md'
+      - 'docs/**'
+      - 'LICENSE'
+      - '.github/ISSUE_TEMPLATE/**'
+      - '.github/headers/**'
+    tags:
+      - 'v*'
+  workflow_dispatch:
+  schedule:
+    - cron: '0 6 * * *'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
+
+permissions:
+  contents: read
+  security-events: write
+  pull-requests: write
+
+jobs:
+  govulncheck:
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5.0.0
+
+      - name: Setup Go
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32  # v5.0.2
+        with:
+          go-version: 'stable'
+
+      - name: Install govulncheck
+        run: go install golang.org/x/vuln/cmd/govulncheck@latest
+
+      - name: Run govulncheck on all Go modules
+        run: |
+          # Find all directories with go.mod files
+          go_modules=$(find . -name "go.mod" -type f | grep -v ".git" | sort)
+
+          if [ -z "$go_modules" ]; then
+            echo "No Go modules found in repository"
+            exit 0
+          fi
+
+          failed_modules=()
+          exit_code=0
+          total_modules=0
+
+          echo "🔍 Discovered Go modules:"
+          for mod_file in $go_modules; do
+            mod_dir=$(dirname "$mod_file")
+            # Extract module name from go.mod file
+            mod_name=$(grep "^module " "$mod_file" | awk '{print $2}')
+            echo "  - $mod_name (path: $mod_dir)"
+            total_modules=$((total_modules + 1))
+          done
+          echo ""
+
+          echo "Running govulncheck on $total_modules module(s)..."
+          echo ""
+
+          for mod_file in $go_modules; do
+            mod_dir=$(dirname "$mod_file")
+            mod_name=$(grep "^module " "$mod_file" | awk '{print $2}')
+
+            echo "Checking $mod_name (path: $mod_dir)..."
+
+            # Run govulncheck and capture output
+            vuln_output=$(govulncheck -C "$mod_dir" ./... 2>&1)
+            vuln_exit_code=$?
+
+            if [ $vuln_exit_code -eq 0 ]; then
+              echo "✅ $mod_name: No vulnerabilities found"
+            else
+              # Check if all vulnerabilities have "Fixed in: N/A" (non-actionable)
+              if echo "$vuln_output" | grep -q "Fixed in: N/A"; then
+                # Count total vulnerabilities and those with no fix
+                total_vulns=$(echo "$vuln_output" | grep -c "Fixed in:")
+                no_fix_vulns=$(echo "$vuln_output" | grep -c "Fixed in: N/A")
+
+                if [ "$total_vulns" -eq "$no_fix_vulns" ]; then
+                  echo "⚠️  $mod_name: Found $no_fix_vulns non-actionable vulnerability(ies) (no fixes available)"
+                  echo "   Skipping as these vulnerabilities cannot be fixed at this time"
+                else
+                  actionable_vulns=$((total_vulns - no_fix_vulns))
+                  echo "❌ $mod_name: Found $actionable_vulns actionable vulnerability(ies) that need fixing"
+                  failed_modules+=("$mod_name")
+                  exit_code=1
+                fi
+              else
+                echo "❌ $mod_name: Vulnerabilities detected"
+                failed_modules+=("$mod_name")
+                exit_code=1
+              fi
+
+              # Show the vulnerability details
+              echo "$vuln_output" | head -20
+            fi
+            echo ""
+          done
+
+          echo "=== SUMMARY ==="
+          if [ ${#failed_modules[@]} -eq 0 ]; then
+            echo "🎉 All $total_modules module(s) passed actionable vulnerability checks!"
+            echo "   (Non-actionable vulnerabilities with 'Fixed in: N/A' are ignored)"
+          else
+            echo "🚨 Actionable vulnerabilities found in ${#failed_modules[@]} of $total_modules module(s):"
+            for module in "${failed_modules[@]}"; do
+              echo "  - $module"
+            done
+            echo ""
+            echo "Please review and address the actionable vulnerabilities in the modules listed above."
+            echo "Note: Vulnerabilities marked 'Fixed in: N/A' are ignored as they have no available fixes."
+          fi
+
+          exit $exit_code