Skip to content

hamba/vulnfix

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
.github
.github
 
 
govulncheck
govulncheck
 
 
modfix
modfix
 
 
report
report
 
 
.golangci.yml
.golangci.yml
 
 
LICENCE
LICENCE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 

Repository files navigation

Logo

Go Report Card Build Status Coverage Status Go Reference GitHub release GitHub license

vulnfix consumes govulncheck -json output and applies dependency fixes to a Go module.

It is designed for a simple workflow:

  1. run govulncheck -json
  2. pipe the output to vulnfix
  3. let vulnfix update vulnerable modules and tidy the module graph

Install

go install github.com/hamba/vulnfix@latest

Usage

govulncheck -json ./... | vulnfix

Run in a different module directory:

govulncheck -json ./... | vulnfix -C /path/to/module

You can also apply fixes from a saved report:

vulnfix < govulncheck-report.json

Optionally write a Markdown CVE report:

govulncheck -json ./... | vulnfix -o report.md

How It Works

vulnfix parses the govulncheck -json output and collects the minimum fixed version for each vulnerable module. It then runs go get <module>@<version> for each affected dependency and follows up with go mod tidy to keep the module graph clean.

Special pseudo-modules are handled automatically:

Module Action
stdlib Updates the go directive via go get go@<version>
toolchain Updates the toolchain directive via go get toolchain@<version>
everything else Regular go get <module>@<version>

About

Go vulnerability updater

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

4 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases 4

v0.2.1 Latest
May 14, 2026
+ 3 releases

Contributors

Languages