govulncheck can block all PRs due to new entries being added to the vulndb, without any connection to the PR changes. We should scope it down significantly, ideally to only run on changes which add new dependencies. Independently, it should run on a schedule on main and publish its findings to GitHub's Security panel.
govulncheck can block all PRs due to new entries being added to the vulndb, without any connection to the PR changes. We should scope it down significantly, ideally to only run on changes which add new dependencies. Independently, it should run on a schedule on
mainand publish its findings to GitHub's Security panel.