| name | security-scan-go-vuln |
| version | 1.0.0 |
| description | Run Go vulnerability checker (govulncheck) to detect known vulnerabilities in Go code |
| author | Charon Project |
| license | MIT |
| tags | security, vulnerabilities, go, govulncheck, scanning |
| compatibility | [object Object] |
| requirements | [object Object] |
| environment_variables | [object Object] |
| parameters | [object Object], [object Object] |
| outputs | [object Object], [object Object] |
| metadata | [object Object] |
Security Scan Go Vulnerability
Overview
Executes govulncheck from the official Go vulnerability database to scan Go code and dependencies for known security vulnerabilities. This tool analyzes both direct and transitive dependencies, providing actionable remediation advice.
This skill is designed for CI/CD pipelines and pre-release security validation.
Prerequisites
- Go 1.23 or higher installed and in PATH
- Internet connection (for vulnerability database access)
- Go module dependencies downloaded (
go mod download) - Valid Go project with
go.modfile
Usage
Basic Usage
Run with default settings (text output, source mode):
cd /path/to/charon
.github/skills/scripts/skill-runner.sh security-scan-go-vuln
JSON Output
Get results in JSON format for parsing:
.github/skills/scripts/skill-runner.sh security-scan-go-vuln json
SARIF Output
Get results in SARIF format for GitHub Code Scanning:
.github/skills/scripts/skill-runner.sh security-scan-go-vuln sarif
Custom Format via Environment
GOVULNCHECK_FORMAT=json .github/skills/scripts/skill-runner.sh security-scan-go-vuln
Parameters
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
| format | string | No | text | Output format (text, json, sarif) |
| mode | string | No | source | Scan mode (source or binary) |
Environment Variables
| Variable | Required | Default | Description |
|---|---|---|---|
| GOVULNCHECK_FORMAT | No | text | Output format override |
Outputs
- Success Exit Code: 0 (no vulnerabilities found)
- Error Exit Codes:
- 1: Scan error or invalid arguments
- 3: Vulnerabilities detected
- Output: Vulnerability report to stdout
Vulnerability Report Format
Text Output (Default)
Scanning for dependencies with known vulnerabilities...
No vulnerabilities found.
Or if vulnerabilities are found:
Found 2 vulnerabilities in dependencies
Vulnerability #1: GO-2023-1234
Package: github.com/example/vulnerable
Version: v1.2.3
Description: Buffer overflow in Parse function
Fixed in: v1.2.4
More info: https://vuln.go.dev/GO-2023-1234
Vulnerability #2: GO-2023-5678
Package: golang.org/x/crypto/ssh
Version: v0.1.0
Description: Insecure default configuration
Fixed in: v0.3.0
More info: https://vuln.go.dev/GO-2023-5678
Examples
Example 1: Basic Scan
# Scan backend Go code for vulnerabilities
cd backend
.github/skills/scripts/skill-runner.sh security-scan-go-vuln
Output:
Scanning your code and 125 packages across 23 dependent modules for known vulnerabilities...
No vulnerabilities found.
Example 2: JSON Output for CI/CD
# Get JSON output for automated processing
.github/skills/scripts/skill-runner.sh security-scan-go-vuln json > vuln-report.json
Example 3: CI/CD Pipeline Integration
# GitHub Actions example
- name: Check Go Vulnerabilities
run: .github/skills/scripts/skill-runner.sh security-scan-go-vuln
working-directory: backend
- name: Upload SARIF Report
if: always()
run: |
.github/skills/scripts/skill-runner.sh security-scan-go-vuln sarif > results.sarif
# Upload to GitHub Code Scanning
Example 4: Binary Mode Scan
# Scan a compiled binary
.github/skills/scripts/skill-runner.sh security-scan-go-vuln text binary
Error Handling
Common Issues
Go not installed:
Error: Go 1.23+ is required
Solution: Install Go 1.23 or higher
Network unavailable:
Error: Failed to fetch vulnerability database
Solution: Check internet connection or proxy settings
Vulnerabilities found:
Exit code: 3
Solution: Review vulnerabilities and update affected packages
Module not found:
Error: go.mod file not found
Solution: Run from a valid Go module directory
Exit Codes
- 0: No vulnerabilities found
- 1: Scan error or invalid arguments
- 3: Vulnerabilities detected (standard govulncheck exit code)
Related Skills
- security-scan-trivy - Multi-language vulnerability scanning
- test-backend-coverage - Backend test coverage
Notes
govulncheckuses the official Go vulnerability database at https://vuln.go.dev- Database is automatically updated during each scan
- Only checks vulnerabilities that are reachable from your code
- Does not require building the code (analyzes source)
- Can also scan compiled binaries with
--mode=binary - Results may change as new vulnerabilities are published
- Recommended to run before each release and in CI/CD
- Zero false positives (only reports known CVEs)
Remediation Workflow
When vulnerabilities are found:
- Review the Report: Understand which packages are affected
- Check Fix Availability: Look for fixed versions in the report
- Update Dependencies: Run
go get -uto update affected packages - Re-run Scan: Verify vulnerabilities are resolved
- Test: Run full test suite after updates
- Document: Note any unresolvable vulnerabilities in security log
Integration with GitHub Security
For SARIF output integration with GitHub Code Scanning:
# Generate SARIF report
.github/skills/scripts/skill-runner.sh security-scan-go-vuln sarif > govulncheck.sarif
# Upload to GitHub (requires GitHub CLI)
gh api /repos/:owner/:repo/code-scanning/sarifs \
-F sarif=@govulncheck.sarif \
-F commit_sha=$GITHUB_SHA \
-F ref=$GITHUB_REF
Last Updated: 2025-12-20
Maintained by: Charon Project
Source: go run golang.org/x/vuln/cmd/govulncheck@latest