Add govulncheck analyzer pass

Dockerfile

@@ -3,13 +3,15 @@ ARG GOLANGCI_LINT_VERSION=v2.12.2
 # Update whenever GOLANGCI_LINT_VERSION changes.
 ARG GOLANGCI_LINT_SHA256=8df580d2670fed8fa984aac0507099af8df275e665215f5c7a2ae3943893a553
 ARG GOSEC_VERSION=v2.22.8
+ARG GOVULNCHECK_VERSION=v1.1.4
 ARG SEMGREP_VERSION=1.84.1
 
 FROM golang:1.26.3-alpine3.23@sha256:91eda9776261207ea25fd06b5b7fed8d397dd2c0a283e77f2ab6e91bfa71079d AS builder
 
 ARG GOLANGCI_LINT_VERSION
 ARG GOLANGCI_LINT_SHA256
 ARG GOSEC_VERSION
+ARG GOVULNCHECK_VERSION
 ARG SEMGREP_VERSION
 
 WORKDIR /go/src/github.com/grafana/plugin-validator
@@ -41,6 +43,11 @@ RUN set -eux; \
 RUN curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | \
     sh -s -- -b /usr/local/bin ${GOSEC_VERSION}
 
+# govulncheck is distributed as a Go module — install with `go install` rather
+# than a binary tarball. Pinned version is fixed via the ARG above.
+RUN go install golang.org/x/vuln/cmd/govulncheck@${GOVULNCHECK_VERSION} && \
+    mv "$(go env GOPATH)/bin/govulncheck" /usr/local/bin/govulncheck
+
 RUN python3 -m pip install semgrep==${SEMGREP_VERSION} --ignore-installed --break-system-packages
 
 RUN mage -v build:lint
@@ -52,12 +59,16 @@ FROM alpine:3.23@sha256:5b10f432ef3da1b8d4c7eb6c487f2f5a8f096bc91145e68878dd4a50
 ARG GOSEC_VERSION
 ARG SEMGREP_VERSION
 
-RUN apk add --no-cache git ca-certificates curl wget python3 python3-dev py3-pip alpine-sdk clamav nodejs=24.14.1-r0 npm
+# govulncheck source mode shells out to the Go command to load packages.
+RUN apk add --no-cache git go ca-certificates curl wget python3 python3-dev py3-pip alpine-sdk clamav nodejs=24.14.1-r0 npm
 RUN update-ca-certificates
 RUN freshclam
 
 RUN curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s -- -b /usr/local/bin ${GOSEC_VERSION}
 
+# govulncheck is built in the builder stage; copy the static binary in.
+COPY --from=builder /usr/local/bin/govulncheck /usr/local/bin/govulncheck
+
 # install semgrep
 RUN python3 -m pip install semgrep==${SEMGREP_VERSION} --ignore-installed --break-system-packages --no-cache-dir
 

README.md

@@ -259,6 +259,7 @@ This validator makes uses of the following open source security tools:
 - [osv-scanner](https://github.com/google/osv-scanner)
 - [semgrep](https://github.com/returntocorp/semgrep)
 - [gosec](https://github.com/securego/gosec)
+- [govulncheck](https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck)
 
 If you run the validator locally or via NPX you can benefit from installing these tools in your system to make them part of your validation checks.
 
@@ -291,6 +292,7 @@ Run "mage gen:readme" to regenerate this section.
 | Discoverability / `discoverability` | Warns about missing keywords and description that are used for plugin indexing in the catalog. | None |
 | Go Manifest / `go-manifest` | Validates the build manifest. | None |
 | Go Security Checker / `go-sec` | Inspects source code for security problems by scanning the Go AST. | [gosec](https://github.com/securego/gosec), `sourceCodeUri` |
+| Go Vulnerability Checker / `govulncheck` | Scans Go backend source and plugin backend binaries for known vulnerabilities (govulncheck). | [govulncheck](https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck), `sourceCodeUri` for source scans |
 | JS Source Map / `jsMap` | Checks for required `module.js.map` file(s) in archive. | `sourceCodeUri` |
 | Legacy Grafana Toolkit usage / `legacybuilder` | Detects the usage of the not longer supported Grafana Toolkit. | None |
 | Legacy Platform / `legacyplatform` | Detects use of Angular which is deprecated. | None |

pkg/analysis/passes/analysis.go

@@ -17,6 +17,7 @@ import (
 	"github.com/grafana/plugin-validator/pkg/analysis/passes/discoverability"
 	"github.com/grafana/plugin-validator/pkg/analysis/passes/gomanifest"
 	"github.com/grafana/plugin-validator/pkg/analysis/passes/gosec"
+	"github.com/grafana/plugin-validator/pkg/analysis/passes/govulncheck"
 	"github.com/grafana/plugin-validator/pkg/analysis/passes/grafanadependency"
 	"github.com/grafana/plugin-validator/pkg/analysis/passes/includesnested"
 	"github.com/grafana/plugin-validator/pkg/analysis/passes/jargon"
@@ -71,6 +72,7 @@ var Analyzers = []*analysis.Analyzer{
 	discoverability.Analyzer,
 	gomanifest.Analyzer,
 	gosec.Analyzer,
+	govulncheck.Analyzer,
 	includesnested.Analyzer,
 	jargon.Analyzer,
 	jssourcemap.Analyzer,