From df655b0762485ed673c29f40539b441abdde76c5 Mon Sep 17 00:00:00 2001
From: Ryan VanGundy <85766511+rmvangun@users.noreply.github.com>
Date: Tue, 13 Jan 2026 18:08:48 -0500
Subject: [PATCH 1/2] chore(ci): Add govulncheck

Signed-off-by: Ryan VanGundy <85766511+rmvangun@users.noreply.github.com>
---
 .github/workflows/ci.yaml | 6 ++++++
 Taskfile.yaml             | 2 ++
 2 files changed, 8 insertions(+)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 4a2254b02..939c9cbda 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -134,6 +134,12 @@ jobs:
           GOTOOLCHAIN: 'auto'
           GOFLAGS: '-buildvcs=false'
 
+      - name: Run Govulncheck Security Scanner
+        run: govulncheck ./...
+        env:
+          GOTOOLCHAIN: 'auto'
+          GOFLAGS: '-buildvcs=false'
+
   release:
     runs-on: windows-latest
     needs: [build-and-test, sast-scan]
diff --git a/Taskfile.yaml b/Taskfile.yaml
index 996730c96..ff7770f06 100644
--- a/Taskfile.yaml
+++ b/Taskfile.yaml
@@ -54,7 +54,9 @@ tasks:
     desc: Scan for security vulnerabilities
     cmds:
       - go install github.com/securego/gosec/v2/cmd/gosec@latest
+      - go install golang.org/x/vuln/cmd/govulncheck@latest
       - gosec ./...
+      - govulncheck ./...
 
   run:
     desc: Run the Windsor CLI

From 2be7fad22c8c14d7f3a5f4887736b0e675ba6c67 Mon Sep 17 00:00:00 2001
From: Ryan VanGundy <85766511+rmvangun@users.noreply.github.com>
Date: Tue, 13 Jan 2026 18:13:47 -0500
Subject: [PATCH 2/2] Add govulncheck

Signed-off-by: Ryan VanGundy <85766511+rmvangun@users.noreply.github.com>
---
 aqua.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/aqua.yaml b/aqua.yaml
index 0b22807b9..f6f485596 100644
--- a/aqua.yaml
+++ b/aqua.yaml
@@ -31,3 +31,4 @@ packages:
 - name: aws/aws-cli@2.32.33
 - name: twistedpair/google-cloud-sdk@551.0.0
 - name: opentofu/opentofu@v1.11.1
+- name: golang/vuln/govulncheck@v1.1.4