SecureGoDeps is an automated security vulnerability scanner and dependency remediation tool for Go modules. It leverages Go's official govulncheck to analyze your codebase for reachable vulnerabilities, simulates or applies upgrades to affected packages, and validates repository stability through module tidying and unit testing.
You nolonger have an excuse for deploying vulnerable Go dependencies in your code. This repo provides an easy to use CLI tool to scan and remediate vulnerable dependencies in your Go code.
graph TD
A([Start Scan]) --> B[Ensure govulncheck is installed/up-to-date]
B --> C[Run initial govulncheck scan]
C -- "No Vulnerabilities" --> D[Run go mod tidy & tests]
D --> E([Clean & Verified])
C -- "Vulnerabilities Detected" --> F{Dry Run?}
F -- "Yes" --> G[Simulate upgrade & output git diff]
G --> H([Simulation Complete])
F -- "No" --> I[Upgrade direct & indirect deps]
I --> J[Run go mod tidy & tests]
J --> K[Run final govulncheck verification]
K --> L([Remediated & Verified])
classDef default fill:#1E1E2E,stroke:#CDD6F4,stroke-width:1px,color:#CDD6F4;
classDef success fill:#A6E3A1,stroke:#A6E3A1,stroke-width:1px,color:#11111B;
classDef highlight fill:#F9E2AF,stroke:#F9E2AF,stroke-width:1px,color:#11111B;
class E,H,L success;
class F highlight;
- Automated Tooling Lifecycle: Automatically installs or updates
govulncheckto the latest version on each run. - Vulnerability Detection: Scans package patterns (
./...) to identify reachable vulnerabilities that actually affect your compiled code. - Smart Remediation:
- If vulnerable: Upgrades packages (
go get -u), runs tests (go test), and re-scans to verify remediation. - If healthy: Runs standard sanity checks (
go mod tidy&go test) to ensure everything compiles cleanly.
- If vulnerable: Upgrades packages (
- Safe Simulation (Dry Run): Safely simulates dependency upgrades and prints a
git diffformat patch showing proposed changes without editing file state.
- Go (version 1.18 or higher recommended; script automatically switches Go toolchains if needed).
- Bash environment.
No heavy setup required. Copy or clone this utility to your project:
git clone https://github.com/simplybarter/SecureGoDeps.git
cd SecureGoDepsRun the script from the root of your Go module or provide a specific target path.
./scripts/secure-go-deps.sh [options]| Flag | Long Option | Description |
|---|---|---|
-p |
--path PATH |
Path to the Go project/module to scan. |
-d |
--dry-run |
Preview the upgrades and show a diff without modifying files. |
-h |
--help |
Show the help documentation. |
Scan current directory:
./scripts/secure-go-deps.shPerform a dry run to inspect changes:
./scripts/secure-go-deps.sh --dry-runScan a specific sub-project:
./scripts/secure-go-deps.sh --path ./examples/testingWhen a vulnerability is detected and automatically resolved:
==> Using project directory: /home/user/SecureGoDeps/examples/testing
==> Checking this is a Go module repo...
==> Installing/updating govulncheck...
==> Running initial vulnerability scan...
govulncheck: loading packages:
...
==> Vulnerabilities were found.
==> Attempting to upgrade all direct and indirect dependencies...
go: upgraded golang.org/x/text v0.35.0 => v0.38.0
==> Tidying module files...
==> Running tests after dependency upgrades...
ok secure-go-deps (cached)
==> Running final vulnerability scan...
No vulnerabilities found.
==> Done. Dependencies were upgraded, tests passed, and govulncheck passed.
A sample project for testing vulnerability scanning and automatic remediation is available in the examples/testing directory. See the Examples README for usage and test execution instructions.
For details on integrating SecureGoDeps into your continuous integration workflows (e.g. GitHub Actions), please refer to the Examples README.