security-scanning-security-dependencies

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The CI and scan steps install and execute remote tooling (e.g., "go install golang.org/x/vuln/cmd/govulncheck@latest"), which fetches and runs remote code at runtime and is required for the Go vulnerability scan.