Run vulnerability scan on latest release tags

Vulnerability scans were previously run on the latest state of currently
developed branches. This provided assurance that the current branch
state did not contain known vulnerabilities in dependencies, but did not
provide assurance that the currently released code was free of
vulnerabilities.

This change runs vulnerability scans on the most recent release version
tag for currently developed branches. Scan failures now indicate that a
new release is required to address vulnerabilities in dependencies.

Signed-off-by: Mark S. Lewis <[email protected]>

.github/workflows/vulnerability-scan.yml

@@ -24,12 +24,23 @@ jobs:
           - main
           - release-2.5
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout ${{ matrix.ref }} branch
+        uses: actions/checkout@v4
         with:
           ref: ${{ matrix.ref }}
+          fetch-depth: 0
+      - name: Get latest release tag
+        id: latest-release
+        run: echo "tag=$(git -c versionsort.suffix=- tag --merged HEAD --sort=-version:refname | head -1)" >> "${GITHUB_OUTPUT}"
+      - name: Checkout ${{ steps.latest-release.outputs.tag }}
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ steps.latest-release.outputs.tag }}
       - name: Set up Go
         uses: actions/setup-go@v5
         with:
-          go-version: 1.24.0
+          # Always use the latest Go release to avoid false positives from older
+          # versions of the Go standard library
+          go-version: stable
       - name: Scan
         run: make scan

Makefile

@@ -376,4 +376,4 @@ scan: scan-govulncheck ## Run all security scans
 
 .PHONY: scan-govulncheck
 scan-govulncheck: gotool.govulncheck ## Run gosec security scan
-	govulncheck ./...
+	govulncheck -show verbose ./...