Hi,
I built a VS Code extension that parses go.mod, checks each module against proxy.golang.org for the latest version, and queries OSV.dev for known CVEs.
I tested it on cli/cli (GitHub’s own CLI) and found 49 outdated modules and 1 CVE across 177 parsed modules. To verify the results, I manually checked each dependency — looking up versions on pkg.go.dev and cross-referencing CVEs on osv.dev. The manual process for ~60 dependencies took me roughly 4 hours. ScanReq does 177 modules in about 10 seconds.
Some Go-specific things I had to handle:
- Module paths with major versions: Go modules use path-based versioning (
/v2,/v3), so the “latest version” check needs to query the right major version path, not just the module name. - Replace directives: Modules replaced via
replacein go.mod are flagged but not checked against the registry — they point to local paths or forks, not to the canonical version. - Indirect dependencies: go.mod lists both direct and
// indirectmodules. ScanReq checks all of them since CVEs don’t care whether a dependency is direct or indirect.
The free tier covers version checking and CVE detection. Pro ($19, one-time) adds compatibility analysis and a risk-phased update plan.
If you want to verify any result, pick a CVE ID from a scan and paste it into osv.dev — all data comes from public sources.
- VS Code Marketplace: ScanReq
- Site: scanreq.com
- Source: github.com/JorgeCedilloAbarca/scanreq
Feedback welcome, especially around edge cases with complex go.mod setups.