Julie Qiu, announcing Go’s new support for vulnerability management:
Go provides tooling to analyze your codebase and surface known vulnerabilities. This tooling is backed by the Go vulnerability database, which is curated by the Go security team. Go’s tooling reduces noise in your results by only surfacing vulnerabilities in functions that your code is actually calling.
There’s a new govulncheck command you can/should install and run against your project. It surfaces only the vulnerabilities that actually affect you, which is awesome.
Govulncheck is a standalone tool to allow frequent updates and rapid iteration while we gather feedback from users. In the long term, we plan to integrate the govulncheck tool into the main Go distribution.