-
James Liu authored
`govulncheck` inspects Go dependencies for known vulnerabilities. We invoke it in the `vulnerability` CI job which runs in pipelines on the default branch. The job is designed to fail if vulns are detected. This is mostly desirable, unless the vuln is related to a dependency that the Gitaly team cannot directly update, such as the Go standard library. In these cases, a failing `vulnerability` job will continue to fail and block pipelines until our Go build images are updated, or the job is disabled completely (leaving us open to other vulns). Introduce a filter which receives the human-readable output of the `govulncheck` tool, applies an ignore list, and allows the job to pass if necessary. An issue template has also been created to track the removal of vulns from the ignore list.