Vulnerability Scanning in IDEs
Editors integrated with the Go language server, such as VS Code with the Go extension, can detect vulnerabilities in your dependencies.
There are two modes for detecting vulnerabilities in dependencies. Both are backed by the Go vulnerability database and complement each other.
- Imports-based analysis: in this mode, editors report vulnerabilities by scanning the set of packages imported in the workspace, and surface the findings as diagnostics in the
go.mod
files. This is fast, but may report false positives in case your code imports the packages that contain vulnerable symbols but the functions with the vulnerability are not reachable. This mode can be enabled by the"vulncheck": "Imports"
gopls setting. Govulncheck
analysis: this is based on thegovulncheck
command-line tool, which is embedded ingopls
. This provides a low-noise, reliable way to confirm whether your code actually invokes vulnerable functions. Because this analysis can be expensive to compute, it must be manually triggered by using the “Run govulncheck to verify” code action associated with the diagnostic reports from the Import-based analysis, or using the"codelenses.run_govulncheck"
code lens ongo.mod
files.
Go: Toggle Vulncheck (vulncheck.mp4)
These features are available in gopls
v0.11.0 or newer. Please share your feedback at go.dev/s/vsc-vulncheck-feedback.
Editor-specific Instructions
VS Code
The Go extension offers the integration with gopls. The following settings are required to enable the vulnerability scanning features:
"go.diagnostic.vulncheck": "Imports", // enable the imports-based analysis by default.
"gopls": {
"ui.codelenses": {
"run_govulncheck": true // "Run govulncheck" code lens on go.mod file.
}
}
The “Go Toggle Vulncheck” command can be used to toggle the imports-based analysis on and off for the current workspace.
Vim/NeoVim
When using coc.nvim, the following setting will enable the import-based analysis.
{
"codeLens.enable": true,
"languageserver": {
"go": {
"command": "gopls",
...
"initializationOptions": {
"vulncheck": "Imports",
}
}
}
}
Notes and Caveats
- The extension does not scan private packages nor send any information on private modules. All the analysis is done by pulling a list of known vulnerable modules from the Go vulnerability database and then computing the intersection locally.
- The import-based analysis uses the list of packages in the workspace modules, which may be different from what you see from
go.mod
files ifgo.work
or modulereplace
/exclude
is used. - The govulncheck analysis result can become stale as you modify code or the Go vulnerability database is updated. In order to invalidate the analysis results manually, use the
"Reset go.mod diagnostics"
codelens shown on the top of thego.mod
file. Otherwise, the result will be automatically invalidated after an hour. - These features currently don’t report vulnerabilities in the standard libraries or tool chains. We are still investigating UX on where to surface the findings and how to help users handle the issues.