Hi, did you take into consideration using available static code security analysis tools to automatically discover vulnerabilities in code? Most of them are free and integrated with Github, so they can even create tasks/issues to fix open gaps in code.
Examples
- Snyk - https://snyk.io/test/ (free, does require only manifest file)
- LGTM - https://lgtm.com/ (free, does not support Go, but can be used for other components e.g. Lunie)
- WhiteSource Bolt - https://bolt.whitesourcesoftware.com/github/
- SonarCloud - https://sonarcloud.io/about
List of others