diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index 857184e7cca015984d36b0e08c6762d3570c12f2..3a90ea316c3d86f5b2f93224fd2b35eaa572e704 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -65,11 +65,14 @@ jobs:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
-      - uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee # v1.0.4
+      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
         with:
-          output-format: sarif
-          output-file: results.sarif
-          go-version-input: 1.26.0-rc.1 # change to "stable" once Go 1.26 is released
+          go-version: 1.26.0-rc.1 # change to "stable" once Go 1.26 is released
+      - name: Install govulncheck
+        run: go install golang.org/x/vuln/cmd/govulncheck@latest
+      - name: Run govulncheck
+        run: |
+          govulncheck -C . -format sarif ./... > results.sarif
       - uses: github/codeql-action/upload-sarif@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4.31.7
         with:
           sarif_file: results.sarif