Automation to scan all release branches/tags for gomod (CVE)

[dfarrell07]

To quickly and reliably determine if we're impacted by a CVE, we need to be able to check all repos, at all release tags and at the tip of all release branches.

I think the best way to determine this is with go mod graph. That shows all direct and indirect dependencies, and why they are needed.

[skitt]

For security analysis, go mod graph can be misleading, notably because it includes all test dependencies. For accurate analysis, it’s better to list the modules present in our binaries (go version -m path/to/binary, on binaries built without upx).