grafana-plugin-sdk-go v0.292.1 requires Go 1.26.3, so plugins on it have go 1.26.3 in go.mod. But the validator image runs Go 1.25.10 for govulncheck source scans, so the scan fails the version check:
go.mod requires go >= 1.26.3 (running go 1.25.10; GOTOOLCHAIN=local)
This is a toolchain mismatch in the validator, not a real vulnerability, but govulncheck-scan-failed is Error severity and isn't downgraded in publishing.yaml, so it blocks validation.
Cause: the Dockerfile builder is golang:1.26.3-alpine3.23, but the runtime stage installs Go via apk add go on alpine:3.23, which is Go 1.25.10 (and defaults to GOTOOLCHAIN=local, so it won't auto-upgrade). The binary scan (-mode=binary) is unaffected; only the source scan hits this.
grafana-plugin-sdk-go v0.292.1 requires Go 1.26.3, so plugins on it have
go 1.26.3ingo.mod. But the validator image runs Go 1.25.10 for govulncheck source scans, so the scan fails the version check:This is a toolchain mismatch in the validator, not a real vulnerability, but
govulncheck-scan-failedis Error severity and isn't downgraded inpublishing.yaml, so it blocks validation.Cause: the Dockerfile builder is
golang:1.26.3-alpine3.23, but the runtime stage installs Go viaapk add goonalpine:3.23, which is Go 1.25.10 (and defaults toGOTOOLCHAIN=local, so it won't auto-upgrade). The binary scan (-mode=binary) is unaffected; only the source scan hits this.