Skip to content
Latchkey

govulncheck: Reachability-Aware Go Vuln Scan

govulncheck scans Go code against the Go vulnerability database and, using call-graph analysis, flags vulnerabilities your code actually calls into.

govulncheck is the official Go tool. Its edge is reachability: instead of failing on any vulnerable module, it reports the ones whose vulnerable symbols you actually use.

What it does

govulncheck ./... loads the package call graph, cross-references the Go vuln DB, and reports vulnerabilities reachable from your code (plus, with -scan=module, all affected modules). It exits 3 when vulnerabilities are found in the default source mode, 0 when none, and 1 on a tool error.

Common usage

Terminal
govulncheck ./...
# also emit SARIF for code scanning
govulncheck -format sarif ./... > govulncheck.sarif
# scan a built binary
govulncheck -mode binary ./bin/app

Options

FlagWhat it does
./...Analyze all packages in the module
-format <fmt>text, json, or sarif output
-scan <level>symbol (default, reachability), package, or module
-mode <mode>source (default) or binary to scan a compiled binary
-show <kinds>Add detail, e.g. traces of the call paths

In CI

In source mode govulncheck exits 3 on findings, which fails the job; reachability means it stays quiet about vulnerable deps you never call, cutting noise versus a pure SCA scan. For SARIF, use -format sarif and upload it. The binary mode (-mode binary) is handy to scan release artifacts.

Common errors in CI

"no required module provides package" or build errors mean the module does not compile in the runner; govulncheck needs a buildable module in source mode, so run after deps are downloaded. "loading packages: ... go.mod not found" means it ran outside the module root. A job that does not fail on a known vuln may be using a binary built without symbol info.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →