diff --git a/.github/workflows/vulnerability-scan.yml b/.github/workflows/vulnerability-scan.yml
index d506182dc51..0a2857d6aa9 100644
--- a/.github/workflows/vulnerability-scan.yml
+++ b/.github/workflows/vulnerability-scan.yml
@@ -24,12 +24,23 @@ jobs:
           - main
           - release-2.5
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout ${{ matrix.ref }} branch
+        uses: actions/checkout@v4
         with:
           ref: ${{ matrix.ref }}
+          fetch-depth: 0
+      - name: Get latest release tag
+        id: latest-release
+        run: echo "tag=$(git -c versionsort.suffix=- tag --merged HEAD --sort=-version:refname | head -1)" >> "${GITHUB_OUTPUT}"
+      - name: Checkout ${{ steps.latest-release.outputs.tag }}
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ steps.latest-release.outputs.tag }}
       - name: Set up Go
         uses: actions/setup-go@v5
         with:
-          go-version: 1.24.0
+          # Always use the latest Go release to avoid false positives from older
+          # versions of the Go standard library
+          go-version: stable
       - name: Scan
         run: make scan
diff --git a/Makefile b/Makefile
index 862471612d7..f5f14e2a1f2 100644
--- a/Makefile
+++ b/Makefile
@@ -376,4 +376,4 @@ scan: scan-govulncheck ## Run all security scans
 
 .PHONY: scan-govulncheck
 scan-govulncheck: gotool.govulncheck ## Run gosec security scan
-	govulncheck ./...
+	govulncheck -show verbose ./...