Vulnerability Scans #31

	name: Vulnerability Scans

	on:
	schedule:
	- cron: '0 06 * * 0' # 6am UTC on Sundays
	workflow_dispatch:

	permissions:
	contents: read

	jobs:
	vulnerability-scans:
	name: Run vulnerability scans
	runs-on: ubuntu-latest
	env:
	RELEASE_GO_VER: "1.22"

	steps:
	- name: Check out code
	uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6

	- name: "Set up Go"
	uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
	with:
	go-version: "${{ env.RELEASE_GO_VER }}"
	check-latest: true

	# intentionally not pinned to always run the latest scanner
	- name: "Install govulncheck"
	run: \|
	go install golang.org/x/vuln/cmd/govulncheck@latest

	- name: "Run govulncheck"
	run: \|
	govulncheck ./...

	# intentionally not pinned to always run the latest scanner
	- name: "Install OSV Scanner"
	run: \|
	go install github.com/google/osv-scanner/cmd/osv-scanner@latest

	- name: "Run OSV Scanner"
	run: \|
	osv-scanner --config .osv-scanner.toml -r --experimental-licenses="Apache-2.0,BSD-3-Clause,MIT,CC-BY-SA-4.0,UNKNOWN" .

Provide feedback