Basic SCA is opt-in in Go, unlike NPM. This results in an ecosystem that is decades behind other programming languages.
Please trigger govulncheck by default when executing go get, go install, and go mod commands.
Excuse me, who should trigger those checks? If it’s about the tools, you can open a request in golang github.
Go ecosystem is way beyond most programming languages out there. But as the philosophy of the language stands, you have all the bricks to build what you want. There are lots of people who don’t need to trigger those checks, or any other available tool. And there is no necessity to add them into the standard process.
Downstream users of Go modules aren’t even aware of the vulnerabilities. That’s how bad the security posture is by default. For comparison, .NET even shows the CVE’s out of the box.
The ones who actually needs to be aware of vulnerabilities def know how to trigger vulncheck. And since you can literally read the go code from the package you are using, it’s possible to see what’s happening inside the 3d-parties with your own eyes.
Anyone using Go deserves to have these security reports happen automatically out of the box. Opt in hurts the ecosystem.
The eco-system is called the eco-system because you have lots of pieces working together. And you can decide what and where and how you want to do. Default behavior of the installation utils is to install 3d-party package so it can be used in the project, not to lint, scan or do whatever else. You can always write a script and create an alias for command line execution to run everything you want or need.
I’m not asking go to refuse to launch insecure applications. Or compile insecure components. Or vendor insecure dependencies. Or cache insecure modules. Or exit non-zero.
I’m asking for the user to be made aware of latent vulnerabilities so that they will have good information. Then they can respond according to their needs.