Documentation
¶
Overview ¶
Command check-vuln runs govulncheck and fails CI on any advisory that affects our code, with one narrow exception: a documented allowlist of advisory IDs we have reviewed and accepted.
It exists because govulncheck has no native allowlist. `-format json` never sets a non-zero exit code — it streams findings and leaves the verdict to the caller — so this program is that caller: it parses the stream, decides which advisories affect us, subtracts the allowlist, and owns the exit code.
Like cmd/check-changie it is a Go program, not a POSIX-sh task, so it runs identically under PowerShell, bash, and sh; `go run` needs only the pinned toolchain. The `security` mise task invokes it in place of a bare `govulncheck ./...`.
The allowlist is deliberately hostile to rot: an entry that no longer fires (upstream fixed it, the DB withdrew it, the import went away) fails the build until removed, the same discipline nolintlint enforces on //nolint.