
GoGuard is a tool that helps you protect your Go projects from known CVE threats. It allows you to check if a given GitHub repository is vulnerable against a specific CVE.
<https://github.com/user/repo>).go.mod file. It searches for the package related to the Go vulnerability and compares the version found in the go.mod file with the fixed version reported by the OSVDB.go.sum file as well. If there are any vulnerable versions coming from other packages, then GoGuard will inform the user about these as well.go mod graph to get the dependency graph of the project, against the vulnerable versions found in the go sum file.To fix a directly vulnerability, bump your go.mod file to the fixed version and run go mod tidy.
To fix all indirect vulnerabilities, (e.g. if the vulnerable pkg is gopkg.in/yaml.v2 and the patched version v2.4.0 then do:
go mod edit -replace gopkg.in/yaml.v2=gopkg.in/yaml.v2@v2.4.0
go mod tidy
go install github.com/drpaneas/GoGuard@latest
To use GoGuard, supports 3 scan modes
you can run the following command:
Usage: ./goguard <mode> <GitHub-Repo-URL> <CVE ID>
-- Modes: cve, go, pkg --
Example: goguard cve <GitHub-Repo-URL> <BRANCH> <CVE ID>)
Example: goguard go <GitHub-Repo-URL> <BRANCH> <GOVULN ID>)
Example: goguard pkg <GitHub-Repo-URL> <BRANCH> <VULNPKG> <VULNVER>)
For example:
goguard cve https://github.com/user/repo main CVE-2021-4238
goguard go https://github.com/user/repo main GO-2022-0411
goguard pkg https://github.com/user/repo main 'goutils' '1.0'
This command will check if the GitHub repository https://github.com/user/repo is vulnerable against the CVE CVE-2021-4238.
You can also use the --debug parameter to see more detailed information about the vulnerability check process.
GoGuard is provided "as is" without warranty of any kind. Use it at your own risk and always verify the information provided with the original sources.
$ claude mcp add goguard \
-- python -m otcore.mcp_server <graph>