govulncheck: Reachability-Aware Go Vuln Scan
govulncheck scans Go code against the Go vulnerability database and, using call-graph analysis, flags vulnerabilities your code actually calls into.
govulncheck is the official Go tool. Its edge is reachability: instead of failing on any vulnerable module, it reports the ones whose vulnerable symbols you actually use.
What it does
govulncheck ./... loads the package call graph, cross-references the Go vuln DB, and reports vulnerabilities reachable from your code (plus, with -scan=module, all affected modules). It exits 3 when vulnerabilities are found in the default source mode, 0 when none, and 1 on a tool error.
Common usage
govulncheck ./...
# also emit SARIF for code scanning
govulncheck -format sarif ./... > govulncheck.sarif
# scan a built binary
govulncheck -mode binary ./bin/appOptions
| Flag | What it does |
|---|---|
| ./... | Analyze all packages in the module |
| -format <fmt> | text, json, or sarif output |
| -scan <level> | symbol (default, reachability), package, or module |
| -mode <mode> | source (default) or binary to scan a compiled binary |
| -show <kinds> | Add detail, e.g. traces of the call paths |
In CI
In source mode govulncheck exits 3 on findings, which fails the job; reachability means it stays quiet about vulnerable deps you never call, cutting noise versus a pure SCA scan. For SARIF, use -format sarif and upload it. The binary mode (-mode binary) is handy to scan release artifacts.
Common errors in CI
"no required module provides package" or build errors mean the module does not compile in the runner; govulncheck needs a buildable module in source mode, so run after deps are downloaded. "loading packages: ... go.mod not found" means it ran outside the module root. A job that does not fail on a known vuln may be using a binary built without symbol info.