Ensure that gosec does not pick the golang vulnerabilities.

.github/workflows/go-pr.yaml

@@ -69,11 +69,36 @@ jobs:
         run: go install golang.org/x/vuln/cmd/govulncheck@latest
 
       - name: Run govulncheck
-        run: govulncheck ./...
+        run: |
+          # Run govulncheck and capture output
+          set +e
+          OUTPUT=$(govulncheck -show verbose ./... 2>&1)
+          EXIT_CODE=$?
+          echo "$OUTPUT"
+
+          # If there are vulnerabilities, check if they're only in stdlib
+          if [ $EXIT_CODE -ne 0 ]; then
+            # Check if there are any third-party package vulnerabilities
+            # Stdlib vulnerabilities show "Found in: <pkg>@go<version>" (e.g., crypto/x509@go1.25.4)
+            # Third-party vulns show "Found in: <pkg>@v<version>" (e.g., github.com/foo/bar@v1.2.3)
+            if echo "$OUTPUT" | grep -q "Found in:"; then
+              # If no "Found in:" lines contain @v (third-party version), only stdlib affected
+              if ! echo "$OUTPUT" | grep "Found in:" | grep -qE "@v[0-9]"; then
+                echo ""
+                echo "⚠️  Only stdlib vulnerabilities found - these require a Go version upgrade"
+                echo "✅ No vulnerabilities in third-party dependencies"
+                exit 0
+              fi
+            fi
+            exit $EXIT_CODE
+          fi
 
   gosec:
     name: Gosec SARIF
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -103,6 +128,9 @@ jobs:
   codeql:
     name: CodeQL Analysis
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
     steps:
       - name: Checkout
         uses: actions/checkout@v4