From 43279bd2bebc5b3b06e65632e4a5f7f4ec12f376 Mon Sep 17 00:00:00 2001
From: Sylvain <1552102+sgaunet@users.noreply.github.com>
Date: Tue, 6 Jan 2026 20:18:26 +0100
Subject: [PATCH] ci: add automated vulnerability scanning workflow

Add monthly scheduled vulnerability scans using govulncheck to detect
known security issues in Go dependencies and code.

- Run on push/PR to main branch
- Monthly scheduled scan (1st of each month at 2 AM)
- Manual trigger support via workflow_dispatch
- Uses golang/govulncheck-action for comprehensive scanning

Fixes #55
---
 .github/workflows/vulnerability-scan.yml | 34 ++++++++++++++++++++++++
 1 file changed, 34 insertions(+)
 create mode 100644 .github/workflows/vulnerability-scan.yml

diff --git a/.github/workflows/vulnerability-scan.yml b/.github/workflows/vulnerability-scan.yml
new file mode 100644
index 0000000..629a03a
--- /dev/null
+++ b/.github/workflows/vulnerability-scan.yml
@@ -0,0 +1,34 @@
+name: Vulnerability Scan
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+  schedule:
+    - cron: '0 2 1 * *'  # Run at 2 AM on the 1st of every month
+  workflow_dispatch:     # Allow manual triggering
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  vulnerability-scan:
+    runs-on: ubuntu-latest
+    name: Run govulncheck
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v5
+        with:
+          persist-credentials: false
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: 'go.mod'
+
+      - name: Run govulncheck
+        uses: golang/govulncheck-action@v1
+        with:
+          go-package: ./...
\ No newline at end of file