Vulnerability Scanning in IDEs

Back to Go Security

Editors integrated with the Go language server, such as VS Code with the Go extension, can detect vulnerabilities in your dependencies.

There are two modes for detecting vulnerabilities in dependencies. Both are backed by the Go vulnerability database and complement each other.

Vulncheck

Go: Toggle Vulncheck (vulncheck.mp4)

These features are available in gopls v0.11.0 or newer. Please share your feedback at go.dev/s/vsc-vulncheck-feedback.

Editor-specific Instructions

VS Code

The Go extension offers the integration with gopls. The following settings are required to enable the vulnerability scanning features:

"go.diagnostic.vulncheck": "Imports", // enable the imports-based analysis by default.
"gopls": {
  "ui.codelenses": {
    "run_govulncheck": true  // "Run govulncheck" code lens on go.mod file.
  }
}

The “Go Toggle Vulncheck” command can be used to toggle the imports-based analysis on and off for the current workspace.

Vim/NeoVim

When using coc.nvim, the following setting will enable the import-based analysis.

{
    "codeLens.enable": true,
    "languageserver": {
        "go": {
            "command": "gopls",
            ...
            "initializationOptions": {
                "vulncheck": "Imports",
            }
        }
    }
}

Notes and Caveats