# Install govulncheck with Homebrew, apt, dnf, MacPorts, Nix, pacman, zypper

Database client and tools for the Go vulnerability database. Version 1.5.0 via Homebrew; verified 2026-07-08.

## Install

```sh
sudo av install brew:govulncheck
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install govulncheck
```

  Evidence: local Homebrew formula metadata

- MacPorts (94%):

```sh
sudo port install govulncheck
```

  Evidence: MacPorts ports tree: security/govulncheck/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1

### Linux

- Debian apt (92%):

```sh
sudo apt install govulncheck
```

  Evidence: Debian stable package indexes: govulncheck from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz

- dnf (92%):

```sh
sudo dnf install govulncheck
```

  Evidence: Fedora Rawhide package metadata: govulncheck from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst

- Nix (92%):

```sh
nix profile install nixpkgs#govulncheck
```

  Evidence: nixpkgs package indexes: pkgs/by-name/go/govulncheck/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

- pacman (92%):

```sh
sudo pacman -S govulncheck
```

  Evidence: Arch Linux sync databases: govulncheck from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz

- zypper (92%):

```sh
sudo zypper install govulncheck
```

  Evidence: openSUSE Tumbleweed package metadata: govulncheck from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst

## Package facts

- **Package key:** brew:govulncheck
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/govulncheck>
- **Version:** 1.5.0
- **Source summary:** Database client and tools for the Go vulnerability database
- **Homepage:** <https://github.com/golang/vuln>
- **Repository:** <https://github.com/golang/vuln>
- **Upstream docs:** <https://github.com/golang/vuln#readme>
- **License:** BSD-3-Clause
- **Source archive:** <https://github.com/golang/vuln/archive/refs/tags/v1.5.0.tar.gz>
- **Last updated:** 2026-07-08T03:14:15Z
- **Generated:** 2026-07-08T07:18:31+00:00

## Executables

- govulncheck (cli)
- govulncheck (alias)

## Build dependencies

- go

## Install behavior

- Post-install hook: not defined
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 1.5.0
- Package-manager updated: 2026-07-08
- Local data: ok
- Upstream repository: https://github.com/golang/vuln
- Upstream latest detected: v1.5.0 (current)
## Project history and usage

govulncheck is the Go project's command-line vulnerability scanner. It is part of Go's vulnerability-management effort and is backed by the Go vulnerability database, with a defining design goal of reducing noise by reporting vulnerabilities that are reachable through the functions a program actually calls.

### Project history

The golang/vuln repository was created as the code home for Go vulnerability-management tooling and database clients. The official README describes the repository as Go's support for vulnerability management: tooling for analyzing codebases and binaries, backed by a Go vulnerability database curated by the Go security team.

The Go team publicly announced vulnerability management support on 2022-09-06. That announcement introduced govulncheck as a standalone command for frequent updates and rapid feedback, separate from the Go distribution while the team gathered user experience. The same post described the Go vulnerability database as a curated source built from CVEs, GitHub Security Advisories, direct package maintainer reports, and Go security team review.

On 2023-07-13, the Go team announced govulncheck v1.0.0 and a stable scanning API. That marked govulncheck's transition from an experimental ecosystem tool into an official integration point for other scanners and workflows. The Go documentation and pkg.go.dev pages later describe source and binary analysis, JSON and other machine-readable formats, database configuration, privacy properties, and known limitations.

### Adoption history

govulncheck adoption is unusually direct for a language-security tool because the Go project itself promotes it in the security documentation, tutorial, repository README, and package documentation. The Go blog also describes integrations with pkg.go.dev, the VS Code Go extension, a GitHub Action, and OSV-Scanner integration work, putting the CLI into editor, package discovery, CI, and scanner ecosystems.

The input package-manager metadata lists govulncheck in Homebrew, Debian, Ubuntu, Fedora, MacPorts, Nix, Arch, and zypper. That broad packaging matters because security checks are commonly installed in CI images and developer environments where relying only on `go install` may not match local package policy.

### How it is used

The common command path is intentionally simple: install `golang.org/x/vuln/cmd/govulncheck` and run `govulncheck ./...` from a Go module. The scanner can analyze source code, and package documentation also describes binary analysis with `-mode binary`, extraction mode, build tags, test-file inclusion, verbose output, JSON streaming, SARIF, and OpenVEX-related output support.

By default, govulncheck queries the Go vulnerability database at vuln.go.dev. The pkg.go.dev documentation states that those requests contain module paths with vulnerabilities known to the database rather than code or other properties of the user's program, and the repository links to a dedicated privacy policy.

### Why package nerds care

govulncheck is significant because it changed Go vulnerability scanning from manifest-level dependency matching toward call-aware analysis. For package maintainers, this matters: it can reduce alert fatigue, make security CI less noisy, and help distinguish vulnerable-but-unused dependency code from reachable vulnerable functions.

It is also one of the clearer examples of modern language-ecosystem security plumbing: a curated vulnerability database, OSV-format data, package-discovery integration, editor integration, CI integration, an installable CLI, and a public API all orbit the same tool.

### Timeline

- 2021: The golang/vuln mirror repository was created for Go vulnerability database clients and tools.
- 2022-09-06: The Go team announced Go vulnerability management and introduced govulncheck as a standalone low-noise scanner.
- 2023-07-13: The Go team announced govulncheck v1.0.0 and a stable API for scanner integrations.
- 2023: The Go blog described pkg.go.dev, VS Code Go extension, GitHub Action, and OSV-Scanner integration paths.
- 2026: pkg.go.dev documentation described govulncheck source/binary analysis, JSON streaming, SARIF, VEX-oriented output, and documented limitations.

### Related projects

- The Go vulnerability database at vuln.go.dev provides the curated data used by govulncheck.
- pkg.go.dev surfaces Go vulnerability information in package discovery workflows.
- The VS Code Go extension and the govulncheck GitHub Action are official or Go-team-documented integration paths.
- OSV-Scanner is referenced by the Go team as an integration point for govulncheck analysis.

### Sources

- <https://api.github.com/repos/golang/vuln>
- <https://go.dev/blog/govulncheck>
- <https://go.dev/blog/vuln>
- <https://go.dev/doc/security/vuln/>
- <https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck>
- <https://raw.githubusercontent.com/golang/vuln/master/README.md>


## Security Notes

No matching local secret-handling manifest was found for govulncheck. Nucleus package metadata is still published here so future coverage has a stable package URL.


## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** govulncheck
- **Version Scheme:** 0
- **Revision:** 1
- **Head Version:** HEAD
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** head, stable

## Other Package-Manager Records

- Debian apt - govulncheck - 1.0.4-1: normalized package name match | Debian stable package indexes: govulncheck from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | CLI for detecting vulnerabilities in Go packages | https://github.com/golang/vuln
- Nix - govulncheck: normalized package name match | nixpkgs package indexes: pkgs/by-name/go/govulncheck/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
- Ubuntu apt - govulncheck - 1.0.1-1: normalized package name match | Ubuntu 24.04 LTS package indexes: govulncheck from https://archive.ubuntu.com/ubuntu/dists/noble/universe/binary-amd64/Packages.gz | CLI for detecting vulnerabilities in Go packages | https://github.com/golang/vuln
- dnf - govulncheck - 1.1.4-1.20260218gita9cf566.fc45: normalized package name match | Fedora Rawhide package metadata: govulncheck from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst | Database client and tools for the Go vulnerability database | https://github.com/golang/vuln
- pacman - govulncheck - 1.3.0-1: normalized package name match | Arch Linux sync databases: govulncheck from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz | Database client and tools for the Go vulnerability database | https://github.com/golang/vuln
- zypper - govulncheck - 1.3.0-1.1: normalized package name match | openSUSE Tumbleweed package metadata: govulncheck from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst | CLI tool to report known CVE vulnerabilities in Go source code and binaries | https://github.com/golang/vuln
- MacPorts - govulncheck: normalized package name match | MacPorts ports tree: security/govulncheck/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1


## Related links

- [Source-control packages](https://www.automicvault.com/pkg/source-control-tools/) - Belongs to a source-control command family.
- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Language runtime packages](https://www.automicvault.com/pkg/language-runtime-packages/) - Matched language runtime, compiler, or interpreter metadata.
- [Networking and protocol packages](https://www.automicvault.com/pkg/networking-protocol-tools/) - Matched network, protocol, or remote-service metadata.
- [go](https://www.automicvault.com/pkg/brew/go/) - Build dependency declared by Homebrew.
- [xk6](https://www.automicvault.com/pkg/brew/xk6/) - Popular package that depends on this formula.
- [clair](https://www.automicvault.com/pkg/brew/clair/) - Shares av.db curated category or tags: cli, security, vulnerability-scanning.
- [osv-scanner](https://www.automicvault.com/pkg/brew/osv-scanner/) - Shares av.db curated category or tags: cli, go, security, vulnerability-scanning.
- [snyk-cli](https://www.automicvault.com/pkg/brew/snyk-cli/) - Shares av.db curated category or tags: cli, security, vulnerability-scanning.
- [bomber](https://www.automicvault.com/pkg/brew/bomber/) - Shares av.db curated category or tags: cli, security, vulnerability-scanning.
- [grype](https://www.automicvault.com/pkg/brew/grype/) - Shares av.db curated category or tags: cli, security, vulnerability-scanning.
- [nuclei](https://www.automicvault.com/pkg/brew/nuclei/) - Shares av.db curated category or tags: cli, security, vulnerability-scanning.
- [terrapin-scanner](https://www.automicvault.com/pkg/brew/terrapin-scanner/) - Shares av.db curated category or tags: cli, security, vulnerability-scanning.
- [vuls](https://www.automicvault.com/pkg/brew/vuls/) - Shares av.db curated category or tags: cli, security, vulnerability-scanning.
- [snyk-agent-scan](https://www.automicvault.com/pkg/brew/snyk-agent-scan/) - Security-sensitive metadata or terminology overlaps. Shared terms: cli, scanning, security, vulnerability, vulnerability-scanning.

## Combined YAML source

View the package source record on GitHub. [combined/govulncheck.yml](https://github.com/automic-vault/db/blob/main/combined/govulncheck.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
