diff --git a/.github/workflows/codeql-analysis.yaml b/.github/workflows/codeql-analysis.yaml
index ae4d24d122..257ac73eea 100644
--- a/.github/workflows/codeql-analysis.yaml
+++ b/.github/workflows/codeql-analysis.yaml
@@ -1,3 +1,4 @@
+# https://codeql.github.com
 name: CodeQL
 
 on:
@@ -15,14 +16,13 @@ env:
 
 jobs:
   analyze:
-    runs-on: ubuntu-latest
+    if: ${{ github.repository == 'CrunchyData/postgres-operator' }}
     permissions:
       actions: read
       contents: read
       security-events: write
 
-    if: ${{ github.repository == 'CrunchyData/postgres-operator' }}
-
+    runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v5
diff --git a/.github/workflows/govulncheck.yaml b/.github/workflows/govulncheck.yaml
new file mode 100644
index 0000000000..098ad5f725
--- /dev/null
+++ b/.github/workflows/govulncheck.yaml
@@ -0,0 +1,48 @@
+# https://go.dev/security/vuln
+name: govulncheck
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+env:
+  # Use the Go toolchain installed by setup-go
+  # https://github.com/actions/setup-go/issues/457
+  GOTOOLCHAIN: local
+
+jobs:
+  vulnerabilities:
+    if: ${{ github.repository == 'CrunchyData/postgres-operator' }}
+    permissions:
+      security-events: write
+
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      # Install Go and produce a SARIF report. This fails only when the tool is
+      # unable to scan.
+      - name: Prepare report
+        uses: golang/govulncheck-action@v1
+        with:
+          output-file: 'govulncheck-results.sarif'
+          output-format: 'sarif'
+          repo-checkout: false
+
+      # Submit the SARIF report to GitHub code scanning. Pull request checks
+      # succeed or fail according to branch protection rules.
+      # - https://docs.github.com/en/code-security/code-scanning
+      - name: Upload results to GitHub
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'govulncheck-results.sarif'
+        # TODO: https://go.dev/issue/70157
+        if: ${{ false }}
+
+      # Print any detected vulnerabilities to the workflow log. This step fails
+      # when the tool detects a vulnerability in code that is called.
+      # - https://go.dev/blog/govulncheck
+      - name: Log results
+        run: govulncheck --format text --show verbose ./...
diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml
index 2a16e4929c..d99e518e5a 100644
--- a/.github/workflows/trivy.yaml
+++ b/.github/workflows/trivy.yaml
@@ -1,3 +1,4 @@
+# https://aquasecurity.github.io/trivy
 name: Trivy
 
 on:
@@ -34,32 +35,28 @@ jobs:
 
   vulnerabilities:
     if: ${{ github.repository == 'CrunchyData/postgres-operator' }}
-
     permissions:
-      # for github/codeql-action/upload-sarif to upload SARIF results
-      security-events: write 
+      security-events: write
 
     runs-on: ubuntu-latest
-
     steps:
       - uses: actions/checkout@v4
 
-      # Run trivy and log detected and fixed vulnerabilities
-      # This report should match the uploaded code scan report below
-      # and is a convenience/redundant effort for those who prefer to
-      # read logs and/or if anything goes wrong with the upload.
-      - name: Log all detected vulnerabilities
+      # Print any detected secrets or vulnerabilities to the workflow log for
+      # human consumption. This step fails only when Trivy is unable to scan.
+      # A later step uploads results to GitHub as a pull request check.
+      - name: Log detected vulnerabilities
         uses: aquasecurity/trivy-action@0.28.0
         with:
           scan-type: filesystem
           hide-progress: true
-          ignore-unfixed: true
           scanners: secret,vuln
+          # Manage the cache only once during this workflow.
+          # - https://github.com/aquasecurity/trivy-action#cache
+          cache: true
 
-      # Upload actionable results to the GitHub Security tab.
-      # Pull request checks fail according to repository settings.
-      # - https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github
-      # - https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning
+      # Produce a SARIF report of actionable results. This step fails only when
+      # Trivy is unable to scan.
       - name: Report actionable vulnerabilities
         uses: aquasecurity/trivy-action@0.28.0
         with:
@@ -68,8 +65,14 @@ jobs:
           format: 'sarif'
           output: 'trivy-results.sarif'
           scanners: secret,vuln
+          # Use the cache downloaded in a prior step.
+          # - https://github.com/aquasecurity/trivy-action#cache
+          cache: false
 
-      - name: Upload Trivy scan results to GitHub Security tab
+      # Submit the SARIF report to GitHub code scanning. Pull requests checks
+      # succeed or fail according to branch protection rules.
+      # - https://docs.github.com/en/code-security/code-scanning
+      - name: Upload results to GitHub
         uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: 'trivy-results.sarif'