Try turning on deps vuln checking using govulncheck as well

kovidgoyal · kovidgoyal · commit 5c15a6e372e5 · 2025-09-24T09:39:14.000+05:30
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -9,9 +9,6 @@ on:
     schedule:
         - cron: '0 22 * * 5'
 
-permissions:
-    contents: read # to fetch code (actions/checkout)
-
 jobs:
     CodeQL-Build:
 
@@ -67,3 +64,17 @@ jobs:
 
         - name: Perform CodeQL Analysis
           uses: github/codeql-action/analyze@v3
+
+        - name: Run govulncheck
+          if: matrix.language == 'go'
+          uses: golang/govulncheck-action@v1
+          with:
+              output-format: sarif
+              output-file: govulncheck.sarif
+
+        - name: Upload govulncheck results
+          if: matrix.language == 'go'
+          uses: github/codeql-action/upload-sarif@v3
+          with:
+              sarif_file: govulncheck.sarif
+              category: govulncheck
