Checks: add govulncheck and gosec

gosec run G115 is disabled

.github/workflows/ci.yml

@@ -25,7 +25,7 @@ jobs:
       run: make get_tools
 
     - name: Run Makefile checks
-      run: make static_check
+      run: make checks
 
   tests:
     name: Run Go ${{ matrix.go }} tests

Makefile

@@ -5,8 +5,8 @@ test_gotest:
 	go clean -testcache
 	go test -timeout=0 ./...
 
-.PHONY: static_check
-static_check: check_tools
+.PHONY: checks
+checks: check_tools
 	@echo Checking correct formatting of files
 
 	@FMTOUT=$$(go fmt ./...); \
@@ -43,6 +43,26 @@ static_check: check_tools
 		echo "$$STATICCHECKOUT";\
 		false;\
     fi
+
+	@GOVULNCHECKOUT=$$(govulncheck ./...); \
+	if echo "$$GOVULNCHECKOUT" | grep -q "No vulnerabilities found"; then\
+		echo "govulncheck: OK";\
+    else \
+		echo "govulncheck:" >&2;\
+		echo "$$GOVULNCHECKOUT" >&2;\
+		false;\
+	fi
+
+# gosec rule G115: Is exluded because there are int->uin64 conversions
+# and the rule currently contains false positives
+	@GOSECOUT=$$(gosec -quiet -exclude=G115 ./...); \
+	if [ -z "$$GOSECOUT" ]; then\
+		echo "gosec: OK (excluding G115)";\
+	else \
+		echo "gosec: problems in files:";\
+		echo "$$GOSECOUT";\
+		false;\
+	fi
 
 	@echo Checking all local changes are committed
 	go mod tidy
@@ -52,13 +72,15 @@ static_check: check_tools
 test: test_gotest
 
 .PHONY: ci_test
-ci_test: static_check test_gotest
+ci_test: checks test_gotest
 
-EXECUTABLES = goimports staticcheck
+EXECUTABLES = goimports staticcheck govulncheck gosec
 .PHONY: get_tools
 get_tools:
 	go install golang.org/x/tools/cmd/goimports@latest
 	go install honnef.co/go/tools/cmd/staticcheck@2023.1.7
+	go install golang.org/x/vuln/cmd/govulncheck@latest
+	go install github.com/securego/gosec/v2/cmd/gosec@latest
 
 .PHONY: check_tools
 check_tools: