Automic VaultAutomic Vault

brew

Install govulncheck with Homebrew, apt, dnf, MacPorts, Nix, pacman, zypper

Database client and tools for the Go vulnerability database. Version 1.5.0 via Homebrew; verified 2026-07-08.

install

Additional install commands

macOS

Homebrewverified · 100%
brew install govulncheck

local Homebrew formula metadata

MacPortsverified · 94%
sudo port install govulncheck

MacPorts ports tree · security/govulncheck/Portfile · source: api.github.com

Linux

Debian aptverified · 92%
sudo apt install govulncheck

Debian stable package indexes · govulncheck · source: deb.debian.org

Fedora dnfverified · 92%
sudo dnf install govulncheck

Fedora Rawhide package metadata · govulncheck · source: dl.fedoraproject.org

Nixverified · 92%
nix profile install nixpkgs#govulncheck

nixpkgs package indexes · pkgs/by-name/go/govulncheck/package.nix · source: api.github.com

Arch Linux pacmanverified · 92%
sudo pacman -S govulncheck

Arch Linux sync databases · govulncheck · source: geo.mirror.pkgbuild.com

openSUSE zypperverified · 92%
sudo zypper install govulncheck

openSUSE Tumbleweed package metadata · govulncheck · source: download.opensuse.org

overview

Package summary

Database client and tools for the Go vulnerability database

Commands and aliases

  • govulncheck

history

Project history and usage

govulncheck is the Go project's command-line vulnerability scanner. It is part of Go's vulnerability-management effort and is backed by the Go vulnerability database, with a defining design goal of reducing noise by reporting vulnerabilities that are reachable through the functions a program actually calls.

Project history

The golang/vuln repository was created as the code home for Go vulnerability-management tooling and database clients. The official README describes the repository as Go's support for vulnerability management: tooling for analyzing codebases and binaries, backed by a Go vulnerability database curated by the Go security team.

The Go team publicly announced vulnerability management support on 2022-09-06. That announcement introduced govulncheck as a standalone command for frequent updates and rapid feedback, separate from the Go distribution while the team gathered user experience. The same post described the Go vulnerability database as a curated source built from CVEs, GitHub Security Advisories, direct package maintainer reports, and Go security team review.

On 2023-07-13, the Go team announced govulncheck v1.0.0 and a stable scanning API. That marked govulncheck's transition from an experimental ecosystem tool into an official integration point for other scanners and workflows. The Go documentation and pkg.go.dev pages later describe source and binary analysis, JSON and other machine-readable formats, database configuration, privacy properties, and known limitations.

Adoption history

govulncheck adoption is unusually direct for a language-security tool because the Go project itself promotes it in the security documentation, tutorial, repository README, and package documentation. The Go blog also describes integrations with pkg.go.dev, the VS Code Go extension, a GitHub Action, and OSV-Scanner integration work, putting the CLI into editor, package discovery, CI, and scanner ecosystems.

The input package-manager metadata lists govulncheck in Homebrew, Debian, Ubuntu, Fedora, MacPorts, Nix, Arch, and zypper. That broad packaging matters because security checks are commonly installed in CI images and developer environments where relying only on `go install` may not match local package policy.

How it is used

The common command path is intentionally simple: install `golang.org/x/vuln/cmd/govulncheck` and run `govulncheck ./...` from a Go module. The scanner can analyze source code, and package documentation also describes binary analysis with `-mode binary`, extraction mode, build tags, test-file inclusion, verbose output, JSON streaming, SARIF, and OpenVEX-related output support.

By default, govulncheck queries the Go vulnerability database at vuln.go.dev. The pkg.go.dev documentation states that those requests contain module paths with vulnerabilities known to the database rather than code or other properties of the user's program, and the repository links to a dedicated privacy policy.

Why package nerds care

govulncheck is significant because it changed Go vulnerability scanning from manifest-level dependency matching toward call-aware analysis. For package maintainers, this matters: it can reduce alert fatigue, make security CI less noisy, and help distinguish vulnerable-but-unused dependency code from reachable vulnerable functions.

It is also one of the clearer examples of modern language-ecosystem security plumbing: a curated vulnerability database, OSV-format data, package-discovery integration, editor integration, CI integration, an installable CLI, and a public API all orbit the same tool.

Timeline

  • 2021: The golang/vuln mirror repository was created for Go vulnerability database clients and tools.
  • 2022-09-06: The Go team announced Go vulnerability management and introduced govulncheck as a standalone low-noise scanner.
  • 2023-07-13: The Go team announced govulncheck v1.0.0 and a stable API for scanner integrations.
  • 2023: The Go blog described pkg.go.dev, VS Code Go extension, GitHub Action, and OSV-Scanner integration paths.
  • 2026: pkg.go.dev documentation described govulncheck source/binary analysis, JSON streaming, SARIF, VEX-oriented output, and documented limitations.

Related projects

  • The Go vulnerability database at vuln.go.dev provides the curated data used by govulncheck.
  • pkg.go.dev surfaces Go vulnerability information in package discovery workflows.
  • The VS Code Go extension and the govulncheck GitHub Action are official or Go-team-documented integration paths.
  • OSV-Scanner is referenced by the Go team as an integration point for govulncheck analysis.

security posture

No protected-tool coverage found yet

No matching local secret-handling manifest was found for govulncheck. Nucleus package metadata is still published here so future coverage has a stable package URL.

Install behavior

  • No Homebrew post-install hook is recorded in formula metadata.
  • Homebrew bottle metadata is available for 6 platform targets.
  • Build metadata lists 1 build dependencies.

Recommended review

Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.

executables

Installed executables

CommandKindExposureNote
govulncheckcliglobal executable

freshness

Version and freshness

These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.

page generated2026-07-08
manager version1.5.0
manager updated2026-07-08
local dataok
upstreamcurrent
latest detectedv1.5.0

https://github.com/golang/vuln

  • okNo freshness warnings were generated.

install metadata

Package metadata

Package keybrew:govulncheck
Version1.5.0
Package managerHomebrew
Package manager pagehttps://formulae.brew.sh/formula/govulncheck
Homepagehttps://github.com/golang/vuln
Repositoryhttps://github.com/golang/vuln
Upstream docshttps://github.com/golang/vuln#readme
LicenseBSD-3-Clause
Source archivehttps://github.com/golang/vuln/archive/refs/tags/v1.5.0.tar.gz
Last updated2026-07-08T03:14:15Z
Pulseupdated
Build dependenciesgo
Bottleavailable (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux)
Homebrew post-installnot defined
Servicenone declared

registry facts

Source database details

Source DatabaseHomebrew formula API
Taphomebrew/core
Full Namegovulncheck
Version Scheme0
Revision1
Head VersionHEAD
Bottle Stable Root URLhttps://ghcr.io/v2/homebrew/core
Deprecatedno
Disabledno
Keg Onlyno
URL Keys
  • head
  • stable

source database matches

Other package-manager records

Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.

Debian apt95%

govulncheck 1.0.4-1

CLI for detecting vulnerabilities in Go packages

https://github.com/golang/vuln

sudo apt install govulncheck
  • Section: golang
  • Architecture: amd64
  • Source Package: golang-golang-x-vuln
  • 1 dependencies
  • normalized package name match
  • Matched by: Govulncheck
Debian stable package indexes · deb.debian.org · Debian stable package indexes: govulncheck from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz
Nix95%

govulncheck

nix profile install nixpkgs#govulncheck
  • normalized package name match
  • Matched by: Govulncheck
nixpkgs package indexes · api.github.com · nixpkgs package indexes: pkgs/by-name/go/govulncheck/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
Ubuntu apt95%

govulncheck 1.0.1-1

CLI for detecting vulnerabilities in Go packages

https://github.com/golang/vuln

sudo apt install govulncheck
  • Section: universe/golang
  • Architecture: amd64
  • Source Package: golang-golang-x-vuln
  • 1 dependencies
  • normalized package name match
  • Matched by: Govulncheck
Ubuntu 24.04 LTS package indexes · archive.ubuntu.com · Ubuntu 24.04 LTS package indexes: govulncheck from https://archive.ubuntu.com/ubuntu/dists/noble/universe/binary-amd64/Packages.gz
dnf95%

govulncheck 1.1.4-1.20260218gita9cf566.fc45

Database client and tools for the Go vulnerability database

https://github.com/golang/vuln

sudo dnf install govulncheck
  • License: Apache-2.0 AND BSD-3-Clause
  • Category: Unspecified
  • Architecture: x86_64
  • Source Package: govulncheck
  • 3 dependencies
  • 3 provides
  • normalized package name match
  • Matched by: Govulncheck
Fedora Rawhide package metadata · dl.fedoraproject.org · Fedora Rawhide package metadata: govulncheck from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst
pacman95%

govulncheck 1.3.0-1

Database client and tools for the Go vulnerability database

https://github.com/golang/vuln

sudo pacman -S govulncheck
  • License: BSD-3-Clause
  • Architecture: x86_64
  • 1 dependencies
  • normalized package name match
  • Matched by: Govulncheck
Arch Linux sync databases · geo.mirror.pkgbuild.com · Arch Linux sync databases: govulncheck from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz
zypper95%

govulncheck 1.3.0-1.1

CLI tool to report known CVE vulnerabilities in Go source code and binaries

https://github.com/golang/vuln

sudo zypper install govulncheck
  • License: BSD-3-Clause
  • Category: Development/Languages/Go
  • Architecture: x86_64
  • Source Package: govulncheck
  • 1 dependencies
  • 1 provides
  • normalized package name match
  • Matched by: Govulncheck
openSUSE Tumbleweed package metadata · download.opensuse.org · openSUSE Tumbleweed package metadata: govulncheck from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst
MacPorts95%

govulncheck

sudo port install govulncheck
  • normalized package name match
  • Matched by: Govulncheck
MacPorts ports tree · api.github.com · MacPorts ports tree: security/govulncheck/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1

source trail

Generated from repository data

This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.

Used sources

  • Geiger risk classifier
  • Nucleus package database
  • av.db category and tag curation
  • cross-ecosystem install command graph
  • curated package history
  • external package-manager database matches
  • package relationship graph
  • package version freshness
  • package-page enrichment