GitHub Actions Deprecation
This repo's CI is entirely pinned to actions running on the Node20 runtime. GitHub switched runners to default to Node24 on June 2, 2026, and will fully remove Node20 support on September 16, 2026 (GitHub changelog) — every pin below is already past the default-cutover date and needs updating before the September removal.
| File(s) |
Action (pinned) |
Runtime |
Bump to |
ci.yaml, docker-publish.yaml, release.yaml |
actions/checkout@v4 |
node20 |
v7 |
| same |
actions/setup-go@v5 |
node20 |
v6 |
ci.yaml |
actions/upload-artifact@v4 |
node20 |
v7 |
ci.yaml, docker-publish.yaml |
golangci/golangci-lint-action@v6 |
node20 |
v9 |
docker-publish.yaml, release.yaml |
docker/setup-qemu-action@v3 |
node20 |
v4 |
| same |
docker/setup-buildx-action@v3 |
node20 |
v4 |
| same |
docker/login-action@v3 |
node20 |
v4 |
docker-publish.yaml |
docker/metadata-action@v5 |
node20 |
v6 |
| same |
docker/build-push-action@v6 |
node20 |
v7 |
release.yaml |
goreleaser/goreleaser-action@v6 |
node20 |
v7 |
This is the most out-of-date workflow set found across the org's repos in this audit.
npm Dependencies
NONE — no package.json in this repo (pure Go module).
Go Module CVEs
No known CVEs in the current (minimal) dependency graph — the sole third-party dependency, gopkg.in/yaml.v3 v3.0.1, is already the patched version for its historical advisory and has no other known issues.
Separately: go.mod declares go 1.23.6, and CI (ci.yaml, docker-publish.yaml, release.yaml) pins go-version: "1.24". Go officially supports only the two most recent major releases; with Go 1.26 released earlier this year, Go 1.24 is outside that support window and is no longer receiving stdlib/crypto security backports. Recommend bumping go.mod and all three CI go-version pins to 1.25 or 1.26 (the cli repo already targets 1.26 — the same pin can be reused here). This is worth prioritizing given internal/scanner/scanner.go does its own TLS certificate-chain verification, which depends on a patched crypto/x509 stdlib.
Terraform Providers
NONE — no *.tf files in this repo.
GitHub Actions Deprecation
This repo's CI is entirely pinned to actions running on the Node20 runtime. GitHub switched runners to default to Node24 on June 2, 2026, and will fully remove Node20 support on September 16, 2026 (GitHub changelog) — every pin below is already past the default-cutover date and needs updating before the September removal.
ci.yaml,docker-publish.yaml,release.yamlactions/checkout@v4v7actions/setup-go@v5v6ci.yamlactions/upload-artifact@v4v7ci.yaml,docker-publish.yamlgolangci/golangci-lint-action@v6v9docker-publish.yaml,release.yamldocker/setup-qemu-action@v3v4docker/setup-buildx-action@v3v4docker/login-action@v3v4docker-publish.yamldocker/metadata-action@v5v6docker/build-push-action@v6v7release.yamlgoreleaser/goreleaser-action@v6v7This is the most out-of-date workflow set found across the org's repos in this audit.
npm Dependencies
NONE — no
package.jsonin this repo (pure Go module).Go Module CVEs
No known CVEs in the current (minimal) dependency graph — the sole third-party dependency,
gopkg.in/yaml.v3 v3.0.1, is already the patched version for its historical advisory and has no other known issues.Separately:
go.moddeclaresgo 1.23.6, and CI (ci.yaml,docker-publish.yaml,release.yaml) pinsgo-version: "1.24". Go officially supports only the two most recent major releases; with Go 1.26 released earlier this year, Go 1.24 is outside that support window and is no longer receiving stdlib/crypto security backports. Recommend bumpinggo.modand all three CIgo-versionpins to1.25or1.26(theclirepo already targets1.26— the same pin can be reused here). This is worth prioritizing giveninternal/scanner/scanner.godoes its own TLS certificate-chain verification, which depends on a patchedcrypto/x509stdlib.Terraform Providers
NONE — no
*.tffiles in this repo.