govulncheck to report known vulnerabilities

[crazy-max]

Runs govulncheck tool in our workflow to report known vulnerabilities that affect Go code using the Go vulnerability database at https://vuln.go.dev/ and output a SARIF report that will be uploaded to GitHub Code scanning so we have these issues reported in the Security tab like we have done with Docker Scout in #2624.

Atm dependabot will open a pull request when such vulnerabilities are found similar to #2337 but we often close them because it needs coordination with upstream repositories first.

I suggest to disable security updates for Dependabot under https://github.com/docker/buildx/settings/security_analysis and check issues reported in the Security tab instead with this workflow if we are ok with it:

[thaJeztah]

Oh! Been planning for some time to look at something like this! I may borrow this (or of course happy to review a PR 😁)

[crazy-max]

Oh! Been planning for some time to look at something like this! I may borrow this (or of course happy to review a PR 😁)

Yes I think we should have something similar across our projects. I will look to open follow-ups on buildkit and moby

[crazy-max]

After merging we got one reported for github.com/docker/docker: https://github.com/docker/buildx/security/code-scanning/4 🎉

Sad that region in go.mod is not right: https://github.com/docker/buildx/actions/runs/10160824524/job/28097976270#step:4:390

And as we can see dependabot also opened a PR #2634 but as stated in #2631 (comment) we should just disable dependabot for security updates and track this ourselves.