Feature request: add govulncheck

[thypon]

npm-audit for govulncheck

[kdenhartog]

@thypon or @bcaller do you have any preference how this gets implemented? This would be useful to get added into bat-go and so I was thinking about implementing it so I could require it as a part of https://github.com/brave/security/issues/829

[thypon]

It is not super clear to me if the project needs to be compilable to execute, that's what is holding me at the current stage.
It does seem to have a format very similar to reviewdog, so it should be easy to add here https://github.com/brave/security-action/blob/main/assets/reviewdog/reviewdog.yml#L55

I will give a try tomorrow

[bcaller]

Have you tried running govulncheck on bat-go source code to see if the current recommendations make sense?

Firstly, you need to enter the directory of each module and run govulncheck from there once for each module.

For me, the output is not like in the docs. It is quite verbose, so we would need to use -json and then massage the output with jq like the other checks in reviewdog.yml.

When I ran it on bat-go/main/ I wasn't sure that it had correctly figured out the stack trace and so I wasn't sure that the results were sensible.