govulncheck
Run `govulncheck` in module-aware repos and triage reachable findings, not just package presence.
Canonical guidance
- run
govulncheckregularly - prioritize reachable vulnerabilities over raw dependency presence
- document remediation or accepted-risk decisions
Use when
- CI security checks
- dependency upgrades
- incident or audit preparation
Avoid
- treating every advisory as equally actionable
- ignoring findings because the dependency is indirect
- replacing ordinary upgrade policy with scanner output alone
Preferred pattern
govulncheck ./...
Anti-pattern
- suppressing all findings because the first report contained one unreachable advisory
Explanation: This anti-pattern is tempting because false urgency is frustrating, but reachability-aware triage is the point of the tool.
Why
govulncheckadds security signal that is specific to Go call paths and module metadata
Related pages
Sources
- Finding and fixing known vulnerabilities in Go - Go Team
- govulncheck command - Go Team