Can it detect vulnerabilities in indirect dependencies?

Yes, it parses the full dependency tree from go.mod and uses recursive analysis to identify risks in both direct and transitive packages.

What tools are required to run this analysis?

It requires the Go toolchain along with govulncheck, callgraph, and digraph installed in your environment to perform the full suite of verification methods.

What happens if the Go project fails to compile?

The skill will fallback to lower-confidence methods like static source analysis and dependency matching while noting the limitation in the final report, as call graph analysis requires a successful build.

How does this skill differ from standard vulnerability scanners?

While standard scanners identify vulnerable versions, this skill uses call graph analysis to prove if the vulnerable code is actually reachable and executable within your specific project context.

Go Codebase CVE Impact Analysis

Name: Go Codebase CVE Impact Analysis
Author: openshift-eng

byopenshift-eng

•

Seguridad y Pruebas

Evaluates Go projects for vulnerability exposure by performing multi-layered impact analysis and call graph reachability checks.

This skill provides a systematic approach to determining if a Go codebase is truly impacted by specific Common Vulnerabilities and Exposures (CVEs). It moves beyond simple version checking by employing a hierarchy of verification methods—ranging from dependency audits and official Go vulnerability scanners to deep source code analysis and call graph reachability. By providing a data-driven risk assessment backed by concrete evidence like execution paths and call chains, it helps developers prioritize security remediation efforts and eliminate false positives in their security reporting.

Características Principales

0160 GitHub stars

02Support for analyzing both direct and transitive dependencies in Go modules

03Multi-stage verification using dependency matching and govulncheck

04Deep reachability analysis via call graph generation (VTA, RTA, CHA, or static)

05Detailed evidence collection including file paths, line numbers, and call chains

06Automated risk level assignment (High, Medium, Low) based on data-driven confidence

Casos de Uso

01Prioritizing CVE patching by identifying reachable vulnerable functions in production code

02Generating evidence-based compliance reports for security audits and risk assessments

03Validating whether a security advisory actually affects a specific application's execution path

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add openshift-eng/ai-helpers codebase-impact-analysis

For use in Claude.ai and ChatGPT

Download Skill