Go Module Health Check
Paste your go.mod file. Check your Go runtime version, scan dependencies for known vulnerabilities, flag archived modules, and get a supply chain risk score.
Paste your go.mod file to check Go version and dependencies
How It Works
Paste Your go.mod
Paste the contents of your go.mod file including the Go version directive and all require blocks.
Vulnerability Scan
Each direct dependency is checked against the OSV vulnerability database (powered by Go’s vuln data). Archive status is verified in real-time via the GitHub API, and we suggest alternatives for well-known modules.
Risk Score
Get a supply chain risk grade (A–F) based on known vulnerabilities, archived status, and Go runtime support. Critical vulns weigh heavily; stable archived modules don’t.
FAQ
Is my go.mod sent anywhere?
Your go.mod is parsed locally in your browser. Network requests go to osv.dev (Google’s open-source vulnerability database) for CVE checks, and to the GitHub API to verify whether repositories are archived. No data is sent to ReleaseRun servers.
How does vulnerability scanning work?
Each direct dependency is checked against the OSV database, which includes Go’s official vulnerability data from vuln.go.dev. We send the module name, version, and ecosystem (“Go”) and get back any matching advisories with severity ratings.
How does archive detection work?
Archive status is checked in real-time via the GitHub API for each module, with results cached for 24 hours. This means you always get accurate, up-to-date information — no stale hardcoded lists. Go has a strong backwards compatibility promise, so an archived module isn’t inherently broken. The real risk is that if a vulnerability is found, nobody will patch it. That’s why we only penalize your score when an archived module also has known vulnerabilities. We also suggest well-known alternatives for popular modules, regardless of their archive status.
What technologies are tracked?
Well-known Go modules are mapped to technologies like PostgreSQL, Redis, MongoDB, Kubernetes, Docker, Terraform, MySQL, and Elasticsearch. Mapped modules show live health, EOL, and CVE badges from ReleaseRun.
Does this support go.sum files?
Not currently. The tool parses go.mod format only, which includes your Go version directive and dependency declarations. The go.sum file contains cryptographic checksums and is not needed for version or vulnerability analysis.
Stay ahead of Go ecosystem updates
Track Go releases, dependency updates, and security advisories.