Summary

I'm running into a version mismatch when running gosec in Github Actions. I have a dependency ariga.io/atlas v0.25.0 which is forcing my go.mod file to specify the Go version as go 1.22.5. It appear the Docker image securego/gosec:2.20.0 was built iwth go 1.22.3. This results in my CI action failing with errors such as:

Golang errors in file: [cmd]:

  > [line 0 : column 0] - loading files from package "cmd": err: exit status 1: stderr: go: go.mod requires go >= 1.22.5 (running go 1.22.3; GOTOOLCHAIN=local)

I'm not sure if there is a workaround or if a new Docker image could be built with the latest Go version.

Steps to reproduce the behavior

Use Github Action (setup-go may not be needed):

jobs:
  gosec:
    name: Gosec
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: actions/setup-go@v5
        with:
          go-version: '1.22.5'

      - name: Run Gosec Security Scanner
        uses: securego/gosec@master
        with:
          args: '-exclude=G108,G203 -exclude-generated ./...'

gosec version

2.20.0

Go version (output of 'go version')

go version go1.22.5 linux/amd64