Govulncheck

Govvulncheck is the official Go vulnerability scanner developed by the Go security team that analyzes Go codebases and binaries to identify known vulnerabilities in dependencies by cross-referencing the Go vulnerability database (vuln.go.dev), which aggregates data from sources including the National Vulnerability Database, GitHub Advisory Database, and direct maintainer reports. The tool reduces false positives through intelligent static analysis that only reports vulnerabilities in functions actually called by the application code rather than merely imported, providing developers with accurate, low-noise vulnerability detection integrated into CI/CD pipelines, IDEs, and development workflows with support for JSON, SARIF, and VEX output formats.