macOS
brew install govulnchecklocal Homebrew formula metadata
sudo port install govulncheckMacPorts ports tree · security/govulncheck/Portfile · source: api.github.com
brew
Database client and tools for the Go vulnerability database. Version 1.5.0 via Homebrew; verified 2026-07-08.
install
brew install govulnchecklocal Homebrew formula metadata
sudo port install govulncheckMacPorts ports tree · security/govulncheck/Portfile · source: api.github.com
sudo apt install govulncheckDebian stable package indexes · govulncheck · source: deb.debian.org
sudo dnf install govulncheckFedora Rawhide package metadata · govulncheck · source: dl.fedoraproject.org
nix profile install nixpkgs#govulnchecknixpkgs package indexes · pkgs/by-name/go/govulncheck/package.nix · source: api.github.com
sudo pacman -S govulncheckArch Linux sync databases · govulncheck · source: geo.mirror.pkgbuild.com
sudo zypper install govulncheckopenSUSE Tumbleweed package metadata · govulncheck · source: download.opensuse.org
overview
Database client and tools for the Go vulnerability database
history
govulncheck is the Go project's command-line vulnerability scanner. It is part of Go's vulnerability-management effort and is backed by the Go vulnerability database, with a defining design goal of reducing noise by reporting vulnerabilities that are reachable through the functions a program actually calls.
The golang/vuln repository was created as the code home for Go vulnerability-management tooling and database clients. The official README describes the repository as Go's support for vulnerability management: tooling for analyzing codebases and binaries, backed by a Go vulnerability database curated by the Go security team.
The Go team publicly announced vulnerability management support on 2022-09-06. That announcement introduced govulncheck as a standalone command for frequent updates and rapid feedback, separate from the Go distribution while the team gathered user experience. The same post described the Go vulnerability database as a curated source built from CVEs, GitHub Security Advisories, direct package maintainer reports, and Go security team review.
On 2023-07-13, the Go team announced govulncheck v1.0.0 and a stable scanning API. That marked govulncheck's transition from an experimental ecosystem tool into an official integration point for other scanners and workflows. The Go documentation and pkg.go.dev pages later describe source and binary analysis, JSON and other machine-readable formats, database configuration, privacy properties, and known limitations.
govulncheck adoption is unusually direct for a language-security tool because the Go project itself promotes it in the security documentation, tutorial, repository README, and package documentation. The Go blog also describes integrations with pkg.go.dev, the VS Code Go extension, a GitHub Action, and OSV-Scanner integration work, putting the CLI into editor, package discovery, CI, and scanner ecosystems.
The input package-manager metadata lists govulncheck in Homebrew, Debian, Ubuntu, Fedora, MacPorts, Nix, Arch, and zypper. That broad packaging matters because security checks are commonly installed in CI images and developer environments where relying only on `go install` may not match local package policy.
The common command path is intentionally simple: install `golang.org/x/vuln/cmd/govulncheck` and run `govulncheck ./...` from a Go module. The scanner can analyze source code, and package documentation also describes binary analysis with `-mode binary`, extraction mode, build tags, test-file inclusion, verbose output, JSON streaming, SARIF, and OpenVEX-related output support.
By default, govulncheck queries the Go vulnerability database at vuln.go.dev. The pkg.go.dev documentation states that those requests contain module paths with vulnerabilities known to the database rather than code or other properties of the user's program, and the repository links to a dedicated privacy policy.
govulncheck is significant because it changed Go vulnerability scanning from manifest-level dependency matching toward call-aware analysis. For package maintainers, this matters: it can reduce alert fatigue, make security CI less noisy, and help distinguish vulnerable-but-unused dependency code from reachable vulnerable functions.
It is also one of the clearer examples of modern language-ecosystem security plumbing: a curated vulnerability database, OSV-format data, package-discovery integration, editor integration, CI integration, an installable CLI, and a public API all orbit the same tool.
security posture
No matching local secret-handling manifest was found for govulncheck. Nucleus package metadata is still published here so future coverage has a stable package URL.
Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.
executables
| Command | Kind | Exposure | Note |
|---|---|---|---|
govulncheck | cli | global executable |
freshness
These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.
https://github.com/golang/vuln
install metadata
| Package key | brew:govulncheck |
|---|---|
| Version | 1.5.0 |
| Package manager | Homebrew |
| Package manager page | https://formulae.brew.sh/formula/govulncheck |
| Homepage | https://github.com/golang/vuln |
| Repository | https://github.com/golang/vuln |
| Upstream docs | https://github.com/golang/vuln#readme |
| License | BSD-3-Clause |
| Source archive | https://github.com/golang/vuln/archive/refs/tags/v1.5.0.tar.gz |
| Last updated | 2026-07-08T03:14:15Z |
| Pulse | updated |
| Build dependencies | go |
| Bottle | available (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux) |
| Homebrew post-install | not defined |
| Service | none declared |
registry facts
| Source Database | Homebrew formula API |
|---|---|
| Tap | homebrew/core |
| Full Name | govulncheck |
| Version Scheme | 0 |
| Revision | 1 |
| Head Version | HEAD |
| Bottle Stable Root URL | https://ghcr.io/v2/homebrew/core |
| Deprecated | no |
| Disabled | no |
| Keg Only | no |
| URL Keys |
|
source database matches
Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.
govulncheck 1.0.4-1
CLI for detecting vulnerabilities in Go packages
https://github.com/golang/vuln
sudo apt install govulncheckgovulncheck
nix profile install nixpkgs#govulncheckgovulncheck 1.0.1-1
CLI for detecting vulnerabilities in Go packages
https://github.com/golang/vuln
sudo apt install govulncheckgovulncheck 1.1.4-1.20260218gita9cf566.fc45
Database client and tools for the Go vulnerability database
https://github.com/golang/vuln
sudo dnf install govulncheckgovulncheck 1.3.0-1
Database client and tools for the Go vulnerability database
https://github.com/golang/vuln
sudo pacman -S govulncheckgovulncheck 1.3.0-1.1
CLI tool to report known CVE vulnerabilities in Go source code and binaries
https://github.com/golang/vuln
sudo zypper install govulncheckgovulncheck
sudo port install govulnchecksource trail
This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.
View the package source record on GitHub.