(See also:Security Best Practices for Go Developers.)

Find and fix known vulnerabilities

Go’s vulnerability detection aims to provide low-noise, reliable tools fordevelopers to learn about known vulnerabilities that may affect their projects.For an overview, start atthis summary and FAQ pageabout Go’s vulnerability management architecture. For an applied approach,explore the tools below.

Scan code for vulnerabilities with govulncheck

Developers can use the govulncheck tool to determine whether any knownvulnerabilities affect their code and prioritize next steps based on which vulnerablefunctions and methods are actually called.

• View the govulncheck documentation
• Tutorial: Get started with govulncheck

Detect vulnerabilities from your editor

The VS Code Go extension checks third-party dependencies and surfaces relevant vulnerabilities.

• User documentation
• Download VS Code Go
• Tutorial: Get started with VS Code Go

Find Go modules to build upon

Pkg.go.dev is a website for discovering, evaluating andlearning more about Go packages and modules. When discovering and evaluatingpackages on pkg.go.dev, you willsee a banner on the top of a pageif there are vulnerabilities in that version. Additionally, you can see thevulnerabilities impacting each version of a packageon the version history page.

Browse the vulnerability database

The Go vulnerability database collects data directly from Go packagemaintainers as well as from outside sources such asMITRE andGitHub. Reportsare curated by the Go Security team.

• Browse reports in the Go vulnerability database
• View the Go Vulnerability Database documentation
• Contribute a public vulnerability to the database

Report security bugs in the Go project

Security Policy

Consult the Security Policy for instructions on how toreport a vulnerability in the Go project.The page also details the Go security team’s process of tracking issues anddisclosing them to the public. See therelease history for details about past securityfixes. Per therelease policy,we issue security fixes to the two most recent major releases of Go.

Test unexpected inputs with fuzzing

Go native fuzzing provides a type of automated testing which continuouslymanipulates inputs to a program to find bugs. Go supports fuzzing in itsstandard toolchain beginning in Go 1.18. Native Go fuzz tests aresupported by OSS-Fuzz.

• Review the basics of fuzzing
• Tutorial: Get started with fuzzing

Secure services with Go’s cryptography libraries

Go’s cryptography libraries aim to help developers build secure applications.See documentation for thecrypto packagesandgolang.org/x/crypto/.

FIPS 140-3 compliant cryptography

Go’s cryptography libraries can be used in a FIPS 140-3 compliant mode for usein regulated environments. See theFIPS 140-3 Compliance documentationfor more information.