Go
Vulkro does source analysis for Go. It extracts endpoints across the common
routers, tracks request data through call chains to dangerous sinks, and
matches go.mod dependencies against the local CVE bundle. Go is in the
Free tier (an account and sign-in are still required to scan; see
Accounts).
Project detection
Vulkro recognises Go from go.mod and resolves module versions using minimal
version selection over the require block.
vulkro scan .
vulkro discover .
Frameworks
Endpoint extraction understands:
net/http- Gin
- Echo
- Chi
- Fiber
- gorilla/mux
Access model
Go endpoints carry an AuthTier, scopes, and tenant-scoping shared with the
other analysed languages, and feed the OWASP API Top 10 checks. See
OWASP API Top 10.
Taint analysis
Vulkro runs an interprocedural taint pass for Go. Sources include
r.URL.Query(), r.PostFormValue, r.Header.Get, and router path
parameters. Sinks include SQL query construction, os/exec command execution,
filesystem paths, and outbound request URLs (SSRF). Findings carry the
source-to-sink hop chain.
There are also Go-specific detectors, including a zip-slip check and CRLF /
response-header injection for net/http
(w.Header().Set/Add, http.Redirect, http.SetCookie). See
New detectors.
Dependencies
go.mod dependencies are matched against the local CVE bundle (OSV Go
ecosystem); the leading v is stripped to match OSV's version format. Go
modules are not in the reachability call-shape set, so Go CVE findings are
emitted without a [reachable] / [unreachable] tag. See
Dependencies and CVEs.
Detection-depth gap (published)
Go detection depth is a known gap, and Vulkro publishes it rather than hiding
it. On the benchmark's one Go repository (govwa), Vulkro currently finds 0 of
4 catalogued bugs while gosec finds 3; the misses (an fmt.Sprintf SQL
interpolation, an html/template XSS, and two HttpOnly: false insecure
cookies) stay in the corpus as false negatives. If Go is your primary language,
run gosec alongside Vulkro today. The full numbers are on the
Benchmark page.
Useful commands
vulkro scan .
vulkro discover . --format json
vulkro dataflow .
vulkro explain GO-TAINT-SQL-001