From 0f671387e0c81398bfd1d74335ffb4515d1b4085 Mon Sep 17 00:00:00 2001
From: Vanshika Vanshika <vvanshik@redhat.com>
Date: Tue, 12 May 2026 12:27:14 +0530
Subject: [PATCH 1/3] added govulncheck

Signed-off-by: Vanshika Vanshika <vvanshik@redhat.com>

rh-pre-commit.version: 2.3.2
rh-pre-commit.check-secrets: ENABLED
---
 .github/workflows/security.yml | 40 ++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index 0259d8a2b9e..3e7b06e7e58 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -69,3 +69,43 @@ jobs:
       - name: Run safety scan
         continue-on-error: true
         run: safety scan --output json
+
+  govulncheck:
+    name: Go Vulnerability Check (${{ matrix.module }})
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      contents: read
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - module: go-feature-server
+            working-directory: .
+            go-version-file: go.mod
+            needs-protos: true
+          - module: feast-operator
+            working-directory: infra/feast-operator
+            go-version-file: infra/feast-operator/go.mod
+            needs-protos: false
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: ${{ matrix.go-version-file }}
+
+      - name: Compile Go protobuf files
+        if: matrix.needs-protos
+        run: make compile-protos-go
+
+      - name: Install govulncheck
+        run: go install golang.org/x/vuln/cmd/govulncheck@latest
+
+      - name: Run govulncheck
+        working-directory: ${{ matrix.working-directory }}
+        run: govulncheck ./...

From cd66b99bf47652e5fdd24527335f80e23710010d Mon Sep 17 00:00:00 2001
From: Vanshika Vanshika <vvanshik@redhat.com>
Date: Wed, 20 May 2026 13:22:40 +0530
Subject: [PATCH 2/3] fix-CI

Signed-off-by: Vanshika Vanshika <vvanshik@redhat.com>

rh-pre-commit.version: 2.3.2
rh-pre-commit.check-secrets: ENABLED
---
 .github/workflows/security.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index 3e7b06e7e58..a0c1e979309 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -107,5 +107,6 @@ jobs:
         run: go install golang.org/x/vuln/cmd/govulncheck@latest
 
       - name: Run govulncheck
+        continue-on-error: true
         working-directory: ${{ matrix.working-directory }}
         run: govulncheck ./...

From c51da0eaef067072ff33020f7262b72e24a2e027 Mon Sep 17 00:00:00 2001
From: Vanshika Vanshika <vvanshik@redhat.com>
Date: Thu, 21 May 2026 13:38:21 +0530
Subject: [PATCH 3/3] ci: Use official govulncheck-action with SARIF upload

Signed-off-by: Vanshika Vanshika <vvanshik@redhat.com>

rh-pre-commit.version: 2.3.2
rh-pre-commit.check-secrets: ENABLED
---
 .github/workflows/security.yml | 22 ++++++++++++++++------
 1 file changed, 16 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index a0c1e979309..8a14001e2a9 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -76,6 +76,7 @@ jobs:
     timeout-minutes: 15
     permissions:
       contents: read
+      security-events: write
 
     strategy:
       fail-fast: false
@@ -103,10 +104,19 @@ jobs:
         if: matrix.needs-protos
         run: make compile-protos-go
 
-      - name: Install govulncheck
-        run: go install golang.org/x/vuln/cmd/govulncheck@latest
-
       - name: Run govulncheck
-        continue-on-error: true
-        working-directory: ${{ matrix.working-directory }}
-        run: govulncheck ./...
+        uses: golang/govulncheck-action@v1
+        with:
+          work-dir: ${{ matrix.working-directory }}
+          go-version-file: ${{ matrix.go-version-file }}
+          go-package: ./...
+          output-format: sarif
+          output-file: govulncheck-${{ matrix.module }}.sarif
+          repo-checkout: false
+
+      - name: Upload SARIF to GitHub Security
+        if: always()
+        uses: github/codeql-action/upload-sarif@v4
+        with:
+          sarif_file: ${{ matrix.working-directory }}/govulncheck-${{ matrix.module }}.sarif
+          category: govulncheck-${{ matrix.module }}