fix(validate-go): restore the govulncheck risk-acceptance allowlist#275
fix(validate-go): restore the govulncheck risk-acceptance allowlist#275devantler wants to merge 1 commit into
Conversation
#273 migrated the govulncheck gate to the official golang/govulncheck-action "per maintainer direction", on the stated premise that "no repo currently ships an allowlist file, so there is no behavior change". That premise was already false at merge time — ksail had merged `.govulncheck-allow.txt` (ksail#4985) hours earlier — and the exact edge case #273 flagged as a known risk has now materialised: GO-2026-4887 (Moby/docker daemon-side, Fixed in: N/A) is reachable from ksail and blocks EVERY ksail Go PR, with no available recourse (the documented "bump the module" path can't apply to an unpatchable advisory). The official action has no allowlist equivalent. Restore #272's JSON-mode scan that honours an optional consumer-owned `.govulncheck-allow.txt`: strict by default (no file ⇒ identical to a plain `govulncheck ./...`), but a reachable advisory with no upstream fix can be explicitly, reviewably risk-accepted. Keeps harden-runner, the hardened checkout, and the GOMEMLIMIT/timeout OOM tuning untouched. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Restores the JSON-mode govulncheck scan with an optional .govulncheck-allow.txt allowlist (originally added in #272 and removed in #273) in validate-go-project.yaml. This re-enables explicit, version-controlled risk acceptance for reachable advisories that have no upstream fix (Fixed in: N/A), which currently wedge every Go PR on large consumers like ksail.
Changes:
- Replace the official
golang/govulncheck-actionstep withactions/setup-go+go install govulncheck@v1.3.0+ a custom JSON-mode scan that gates on reachable findings minus an optional allowlist. - Default behavior is unchanged when no
.govulncheck-allow.txtis present (strict gate, equivalent togovulncheck ./...). - Update README to document the new allowlist mechanism and drop the official-action reference.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
.github/workflows/validate-go-project.yaml |
Replaces the official action with the previous custom scan + allowlist gating logic. |
README.md |
Updates the supply-chain bullet to describe the optional .govulncheck-allow.txt allowlist instead of referencing golang/govulncheck-action. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
Instead of doing this, we should upstream the feature to the official action, so we do not need to maintain our own solution. |
Closing in favor of #276, to consolidate this concern into a single PR. Per your review here — "Instead of doing this, we should upstream the feature to the official action, so we do not need to maintain our own solution" — this PR's approach (re-implementing the scan as an in-workflow Upstreaming itself is a maintainer-side action: See #276 for the consolidated change. |
Problem — the ksail Go PR lane is wedged with no recourse
A newly-published advisory GO-2026-4887 (Moby/
github.com/docker/docker, AuthZ plugin bypass, Fixed in: N/A) is reachable from ksail (it links the Docker client transitively) and now fails the🛡️ Vulnerability Scanjob on every ksail Go PR — e.g. my own promoted ksail#4986, which is otherwise green. Because the scan ispull_request-only it never runs onmain, somainshows green while the entire PR lane is blocked. There is no available recourse: the documented fix ("bump the affected module") can't apply to an advisory with no upstream fix.Root cause — #273 silently dropped the #272 allowlist
.govulncheck-allow.txt): scan in JSON mode, fail only on reachable advisories not explicitly accepted.golang/govulncheck-action", per maintainer direction) replaced that with the official action, which has no allowlist equivalent and fails on any reachable finding.#273's stated premise was "No repo currently ships an allowlist file, so there is no behavior change" — but that was already false at merge time: ksail merged
.govulncheck-allow.txt(ksail#4985) at ~18:10Z on 2026-06-01, before #273 merged at ~21:45Z. ksail has been shipping a now-inert allowlist ever since, and the precise "Fixed in: N/A reachable advisory" scenario #273 itself flagged as the known risk has now occurred.Fix
Restore #272's JSON-mode scan that honours an optional consumer-owned
.govulncheck-allow.txt:govulncheck ./...(every reachable advisory blocks). No behaviour change for repos without the file.GO-YYYY-NNNN # justificationper line).harden-runner(egress audit), the hardened checkout (persist-credentials: false), and theGOMEMLIMIT: 12GiB+timeout-minutes: 15OOM tuning from fix(validate-go): bound govulncheck memory so it stops OOM-killing the runner #270/ci(security): add harden-runner (egress audit) to every job #274.Validation
actionlintclean on the changed job (the one remaining finding —code-qualitypermission scope — is pre-existing in an unrelated job and is a known actionlint gap, not introduced here).jqlogic functionally tested under bash (the realrun:shell) across three scenarios: (A) a reachable, non-allowlisted advisory → FAIL; (B) all reachable advisories allowlisted, an unreachable one present → PASS; (C) no allowlist file → strict FAIL on all reachable. All behaved as designed.Trade-off — this reverses a maintainer-directed decision
#273 was explicitly maintainer-directed, so this is surfaced as a draft for your call, not a unilateral change:
Propagation note: the PR-time
🛡️ Vulnerability Scanis the org-wide required workflow, which runsvalidate-go-project.yamlat the org-configured ref (currently pastv5.4.0). For this fix to actually unblock ksail PRs, that ref (and/or a new reusable-workflows release) must point at the merged commit — a maintainer/release step outside this repo.Relates to ksail#4986 (blocked), ksail#4985 (
.govulncheck-allow.txt), #272, #273.