Run govulncheck directly on your Go source code or binary to identify known vulnerabilities without needing to build the project first. It queries the Go vulnerability database (GSA) to match your dependencies against publicly disclosed security issues.
For a quick scan of your current module, execute the command in your project root:
govulncheck ./...
If you prefer to scan a compiled binary instead of source code, pass the binary path directly:
govulncheck ./my-app-binary
The tool automatically resolves dependencies from your go.mod file and checks them against the database. By default, it exits with a non-zero status code if any vulnerabilities are found, making it ideal for CI/CD pipelines. You can suppress the exit code for non-zero findings by adding the -json flag to output results in a machine-readable format, which is useful for integrating with reporting tools:
govulncheck -json ./...
If you need to scan a specific package rather than the whole module, replace ./... with the package path, such as govulncheck ./cmd/myapp. The tool is designed to be fast and requires no network access beyond the initial database fetch, which is cached locally. It works seamlessly with Go 1.20 and later, though it can analyze older versions of Go code as well.
When vulnerabilities are detected, the output clearly lists the affected package, the specific version, the vulnerability ID (e.g., GSA-xxxx), and a link to the advisory. This allows you to quickly determine if an upgrade is necessary or if the vulnerability is irrelevant to your usage. Unlike static analysis tools that look for code patterns, govulncheck focuses strictly on known CVEs and GSA entries, ensuring you aren't overwhelmed by false positives related to coding style or logic errors.
For continuous integration, you can add it to your pipeline script to fail builds on critical issues:
govulncheck ./... || exit 1
This ensures that no new vulnerabilities are introduced before code is merged. Remember that govulncheck only checks for vulnerabilities that have been officially reported and added to the database, so it complements but does not replace comprehensive security audits or runtime monitoring.