Go Module & Security Audit Skill
govulncheck and dependency policy skill for agents - a cookbook-style Agent Skill for Go 1.26 module security sweeps before release.
What This Skill Does
Produces an executable audit plan: govulncheck results, vulnerable import traces, proposed go get pins, license/policy flags, and verification commands - without auto-merging dependency changes.
When to Invoke
- Weekly or pre-release dependency hygiene
- After Dependabot or security scanner alerts
- When agents suggest
go getupgrades - Onboarding new modules into monorepo
go workworkspace - Post-incident review of supply-chain exposure
Inputs
| Input | Why |
|---|---|
go.mod / go.sum | Module graph and checksums |
| Team dependency policy ADR | Allowed majors, internal proxy |
GOPROXY / GONOSUMDB settings | Reproducible audit environment |
| License allowlist | Block GPL if policy requires |
| Previous audit ticket | Track regressions |
Outputs
govulncheck -jsonsummary table: CVE, module, fixed version, call path- Proposed
go get module@versioncommands (human approves) - License outliers vs allowlist
- Verification:
go test ./...,go mod verify, optionalsyftSBOM command
Guardrails
- No
go get -u ./...without explicit human approval and changelog review. - Major bumps require ADR or ticket reference in output.
- Do not edit
go.summanually - onlygo get/go mod tidy. - Respect
retractdirectives in consumergo.mod. - Run tests after every proposed pin before suggesting merge.
- Internal modules - verify
GOPRIVATEbefore publishing audit logs.
Recipe
Quick-reference recipe card - copy-paste ready.
# 1. Baseline module integrity
go mod verify
go list -m -json all | head # sanity: graph resolves
# 2. Vulnerability scan
govulncheck -json ./... > /tmp/vuln.json
# 3. Human-readable summary
govulncheck ./...
# 4. After approved pins only
go get golang.org/x/net@v0.34.0
go mod tidy
go test ./...
govulncheck ./...When to reach for this skill:
- Release captain needs CVE sweep before tag
- Agent proposed dependency upgrades without call-path analysis
- Compliance asks for SBOM evidence from Go module graph
Working Example
Step 0 - Environment
go version # expect 1.26.x per stack pin
echo "$GOPROXY" # document proxy used for audit
go env GOMODStep 1 - Run govulncheck
govulncheck -show verbose ./...| Column | Meaning |
|---|---|
| Vulnerability | OSV/CVE ID |
| Module | Affected module path |
| Found in | Your import chain |
| Fixed in | Upgrade target |
- Vulnerable only in test imports may downgrade priority per policy
- See Dependency Scanning with govulncheck and SBOM
Step 2 - Propose pins (not apply)
# Example output suggestion - human runs after approval
go get golang.org/x/crypto@v0.31.0
go mod tidyDocument why each pin is needed: CVE, call path, breaking change risk.
Step 3 - License scan (optional)
# If team uses syft or go-licenses - adapt to your toolchain
go list -m -json all | jq -r '.Path' | sort -uFlag modules outside allowlist for legal review.
Step 4 - Verify
go test ./... -count=1
go mod verify
govulncheck ./...Deep Dive
Minimal Version Selection (MVS) means go get on one module may pull transitive pins.
Skill output should list direct and indirect changes from go list -m -u all diff.
replace directives hide versions from naive scanners - audit go.mod replace block explicitly.
go work workspaces require running govulncheck from each module or workspace root per team convention.
Retract in your own module: skill should verify you are not publishing retracted versions.
Gotchas
- False positives when vuln is in unreachable code path - still document; security may override.
go get -uon stdlib-related x/* modules can cascade - pin surgically.- Vendor mode (
-mod=vendor) needsgo mod vendorafter pins - mention in output. - Private modules without sum lines fail
go mod verifyin CI - separate policy.
Alternatives
| Approach | When |
|---|---|
| Dependabot only | GitHub-native, less call-path detail |
| OSV-Scanner | Polyglot repos |
Manual go list -m -u | Tiny modules |
| This skill | Agent-assisted audit with team policy gates |
FAQs
Can the skill merge dependency PRs automatically?
No. Draft commands and summary only. Human reviews changelog and runs full CI.
Should govulncheck run in CI on every PR?
Yes for production services. Skill references same command CI uses so local and pipeline align.
How do we handle unfixed CVEs?
Output documents risk acceptance ticket, compensating controls, and monitor for fixed version.
Related
- Agent Skills Basics - SKILL.md structure
- Packages and Modules Basics - go.mod fundamentals
- go.mod, go.sum, and Minimal Version Selection - MVS
- Dependency Scanning with govulncheck and SBOM - human reference
- Dependency Governance and License Compliance - policy
- GitHub Actions for Go Repos - CI integration
Stack versions: This page was written for Go 1.26.x (Green Tea GC default, go fix modernizers - verify patch at build), chi (latest - verify at build), gin (latest - verify at build), echo (latest - verify at build), google.golang.org/grpc (latest - verify at build), sigs.k8s.io/controller-runtime (latest - verify at build), kubebuilder (latest - verify at build), tinygo (latest - verify board targets at build), wazero (latest - verify at build), and golangci-lint (latest - verify linter set at build).