govulncheck doesn’t come with Go. The user must install it separately.
How can I manage govulncheck with the go tool / go mod system, without restricting this utility to a specific version/tag/commit/ref? I always want the version to float up to the latest stable release, so that I benefit from the latest security patches.
As a workaround, I have to run separate go get commands outside of the go.mod configuration system. That’s messy, not particularly IaC, and requires my project contributors to have to remember to do that in addition to installing Go, running go install tool. Many contributors will in practice forget these steps.
Some of this can be automated with makefiles as a reasonably portable alternative, but that creates a need to lint makefiles, unnecessarily growing the technology stack outside of the Go ecosystem.