diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
index 091b1cd..2ed84ae 100644
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@@ -14,7 +14,7 @@ jobs:
     strategy:
       fail-fast: true
       matrix:
-        go: ["1.20", "1.19", "1.18"]
+        go: ["1.21", "1.20", "1.19"]
         platform: [ubuntu-latest] # can not run in windows OS
     runs-on: ${{ matrix.platform }}
 
@@ -43,4 +43,8 @@ jobs:
       
       - name: Coverage
         run: |
-          make coverage-diff
\ No newline at end of file
+          make coverage-diff
+    
+      - name: govulncheck 
+        uses: golang/govulncheck-action@7da72f730e37eeaad891fcff0a532d27ed737cd4 # v1
+  
\ No newline at end of file
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9b76ad7..33fe45d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,9 @@ Canonical reference for changes, improvements, and bugfixes for mql.
 
 ## Next
 
+* chore: add govulncheck to github actions ([PR](https://github.com/hashicorp/mql/pull/30))
+* update go matrix in CI: remove 1.18 and add 1.21 ([PR](https://github.com/hashicorp/mql/pull/30))
+
 ## 0.1.2 (2023/09/18)
 
 * fix: remove "like" from sql keywords checked in fuzzing ([PR](https://github.com/hashicorp/mql/pull/26))