Skip to main content

Go

Vulkro does source analysis for Go. It extracts endpoints across the common routers, tracks request data through call chains to dangerous sinks, and matches go.mod dependencies against the local CVE bundle. Go is in the Free tier (an account and sign-in are still required to scan; see Accounts).

Project detection

Vulkro recognises Go from go.mod and resolves module versions using minimal version selection over the require block.

vulkro scan .
vulkro discover .

Frameworks

Endpoint extraction understands:

  • net/http
  • Gin
  • Echo
  • Chi
  • Fiber
  • gorilla/mux

Access model

Go endpoints carry an AuthTier, scopes, and tenant-scoping shared with the other analysed languages, and feed the OWASP API Top 10 checks. See OWASP API Top 10.

Taint analysis

Vulkro runs an interprocedural taint pass for Go. Sources include r.URL.Query(), r.PostFormValue, r.Header.Get, and router path parameters. Sinks include SQL query construction, os/exec command execution, filesystem paths, and outbound request URLs (SSRF). Findings carry the source-to-sink hop chain.

There are also Go-specific detectors, including a zip-slip check and CRLF / response-header injection for net/http (w.Header().Set/Add, http.Redirect, http.SetCookie). See New detectors.

Dependencies

go.mod dependencies are matched against the local CVE bundle (OSV Go ecosystem); the leading v is stripped to match OSV's version format. Go modules are not in the reachability call-shape set, so Go CVE findings are emitted without a [reachable] / [unreachable] tag. See Dependencies and CVEs.

Detection-depth gap (published)

Go detection depth is a known gap, and Vulkro publishes it rather than hiding it. On the benchmark's one Go repository (govwa), Vulkro currently finds 0 of 4 catalogued bugs while gosec finds 3; the misses (an fmt.Sprintf SQL interpolation, an html/template XSS, and two HttpOnly: false insecure cookies) stay in the corpus as false negatives. If Go is your primary language, run gosec alongside Vulkro today. The full numbers are on the Benchmark page.

Useful commands

vulkro scan .
vulkro discover . --format json
vulkro dataflow .
vulkro explain GO-TAINT-SQL-001