chore: add vulncheck tool as a linter

See https://go.dev/security/vuln/

Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>

Dockerfile

@@ -118,6 +118,8 @@ RUN --mount=type=cache,target=/.cache go install k8s.io/code-generator/cmd/deepc
 ARG VTPROTOBUF_VERSION
 RUN --mount=type=cache,target=/.cache go install github.com/planetscale/vtprotobuf/cmd/protoc-gen-go-vtproto@${VTPROTOBUF_VERSION} \
     && mv /go/bin/protoc-gen-go-vtproto /toolchain/go/bin/protoc-gen-go-vtproto
+RUN --mount=type=cache,target=/.cache go install golang.org/x/vuln/cmd/govulncheck@latest \
+    && mv /go/bin/govulncheck /toolchain/go/bin/govulncheck
 RUN curl -sfL https://github.com/uber/prototool/releases/download/v1.10.0/prototool-Linux-x86_64.tar.gz | tar -xz --strip-components=2 -C /toolchain/bin prototool/bin/prototool
 COPY ./hack/docgen /go/src/github.com/talos-systems/talos-hack-docgen
 RUN --mount=type=cache,target=/.cache cd /go/src/github.com/talos-systems/talos-hack-docgen \
@@ -295,6 +297,11 @@ RUN --mount=type=cache,target=/.cache go mod download
 RUN --mount=type=cache,target=/.cache go list all >/dev/null
 WORKDIR /src
 
+# The vulncheck target runs the vulnerability check tool.
+
+FROM build-go AS lint-vulncheck
+RUN --mount=type=cache,target=/.cache govulncheck ./...
+
 # The init target builds the init binary.
 
 FROM base AS init-build-amd64

Makefile

@@ -299,8 +299,8 @@ fmt: ## Formats the source code and protobuf files.
 lint-%: ## Runs the specified linter. Valid options are go, protobuf, and markdown (e.g. lint-go).
 	@$(MAKE) target-lint-$* PLATFORM=linux/amd64
 
-lint: ## Runs linters on go, protobuf, and markdown file types.
-	@$(MAKE) lint-go lint-protobuf lint-markdown
+lint: ## Runs linters on go, vulncheck, protobuf, and markdown file types.
+	@$(MAKE) lint-go lint-vulncheck lint-protobuf lint-markdown
 
 check-dirty: ## Verifies that source tree is not dirty
 	@if test -n "`git status --porcelain`"; then echo "Source tree is dirty"; git status; exit 1 ; fi