Go Module Security Audit
Scan go.mod for CVEs without govulncheck. Paste your manifest and get a fixed go.mod with safe module versions. Detects pseudo-version vulnerabilities.
How to scan Go dependencies
Paste your go.mod into PackageFix. The tool queries the OSV vulnerability database live and returns:
- CVE table with severity badges (CRITICAL, HIGH, MEDIUM, LOW)
- CISA KEV flags — actively exploited packages highlighted in red
- Side-by-side diff: your versions vs fixed versions
- Download fixed go.mod + changelog as .zip
- Renovate config + GitHub Actions workflow template
Scan your dependencies now — paste your manifest, get a fixed version back in seconds.
Open PackageFix →No signup · No CLI · No GitHub connection · Runs 100% in your browser
Frequently Asked Questions
How do I scan Go dependencies for CVEs?
Paste your go.mod into PackageFix. It queries the OSV vulnerability database live and returns a CVE table with fix versions.
What Go packages have the most CVEs?
Check the PackageFix fix guides for the most commonly CVE-flagged Go packages.
Does PackageFix support Go lockfiles?
Yes. Drop your lockfile alongside go.mod for full transitive dependency scanning.
Is PackageFix free?
Yes — completely free, MIT licensed, open source.