From compliance
Analyzes a Go codebase for CVE vulnerabilities, gathers intelligence, assesses impact via call graph analysis, generates a risk report, and optionally suggests fixes.
How this command is triggered — by the user, by Claude, or both
Slash command
/compliance:analyze-cve <CVE-ID> [--algo=vta|rta|cha|static]The summary Claude sees in its command listing — used to decide when to auto-load this command
## Name compliance:analyze-cve ## Synopsis ## Description The `compliance:analyze-cve` command performs comprehensive security vulnerability analysis for Go projects. Given a CVE identifier, it gathers vulnerability intelligence, analyzes the codebase for impact, generates a risk report, and optionally applies fixes. ## Implementation ### Phase 0: Setup and Tool Validation 1. **Parse Arguments** - Extract `<CVE-ID>` (required) from the first argument - Extract `--algo` value if provided (optional, default: `vta`) - Valid `--algo` values: `vta`, `rta`, `cha`, `static` 2. **Ch...
compliance:analyze-cve
/compliance:analyze-cve <CVE-ID> [--algo=vta|rta|cha|static]
The compliance:analyze-cve command performs comprehensive security vulnerability analysis for Go projects. Given a CVE identifier, it gathers vulnerability intelligence, analyzes the codebase for impact, generates a risk report, and optionally applies fixes.
Parse Arguments
<CVE-ID> (required) from the first argument--algo value if provided (optional, default: vta)--algo values: vta, rta, cha, staticCheck Required Tools
go version 2>/dev/null || echo "MISSING: go"
[ -f go.mod ] || echo "MISSING: go.mod"
which govulncheck 2>/dev/null || echo "MISSING: govulncheck"
which callgraph 2>/dev/null || echo "MISSING: callgraph"
which digraph 2>/dev/null || echo "MISSING: digraph"
If ANY Tool is Missing → Display installation instructions and exit with error:
go install golang.org/x/vuln/cmd/govulncheck@latest
go install golang.org/x/tools/cmd/callgraph@latest
go install golang.org/x/tools/cmd/digraph@latest
If All Tools Present → Continue to Phase 1
Decision Point:
--algo preferenceDecision Point:
Generate analysis report at .work/compliance/analyze-cve/{CVE-ID}/report.md
Report structure:
Additional artifacts (as generated):
callgraph.svg (if call graph analysis was performed)govulncheck-output.txt (if scanner was run)evidence.json (structured evidence data)Decision Point:
Requires explicit user approval before proceeding.
Apply Fixes
go.mod/go.sum: go get -u <package>@<fixed-version> + go mod tidyVerify Changes
make verify or go mod verifymake build or go build ./...make test or go test ./...govulncheck ./...Document Changes
.work/compliance/analyze-cve/{CVE-ID}/report.md<CVE-ID>: The CVE identifier to analyze (e.g., CVE-2024-1234, CVE-2023-45678)
--algo: Call graph construction algorithm (optional, default: vta)
vta - Most precise, fewest false positives (recommended)rta - Good balance of precision and speedcha - Fast, less precisestatic - Fastest, least preciseBasic CVE analysis:
/compliance:analyze-cve CVE-2024-45338
With specific algorithm:
/compliance:analyze-cve CVE-2024-45338 --algo=rta
All tools are required. The command exits with an error if any are missing.
# Install all required Go tools
go install golang.org/x/vuln/cmd/govulncheck@latest
go install golang.org/x/tools/cmd/callgraph@latest
go install golang.org/x/tools/cmd/digraph@latest
Optional: graphviz for visual call graph generation (brew install graphviz or sudo apt-get install graphviz)
Internet access is recommended for CVE data fetching but not required if you can provide CVE details manually.
npx claudepluginhub anirudhagniredhat/openshift-ai-helpers --plugin compliance24plugins reuse this command
First indexed Feb 18, 2026
Showing the 6 earliest of 24 plugins
/analyze-cveAnalyzes a Go codebase for CVE vulnerabilities, gathers intelligence, assesses impact via call graph analysis, generates a risk report, and optionally suggests fixes.
/securityScans code for exposed secrets and vulnerabilities via the github-autopilot MCP server, reporting risk level, severity, and fixes with redacted secrets.
/scanScans the codebase for security vulnerabilities using static analysis, dependency CVE checks, and configuration review. Produces a severity-categorized report with remediation steps.
/huntRuns full CVE hunting pipeline on an npm package: registry check, repo clone, code review, PoC development, validation gates, and report generation.
/dependenciesScans project dependencies for CVE vulnerabilities across 11 package managers (npm, pip, cargo, bundler, etc.), generates risk scores, and provides fix recommendations.
/fix-vulnerabilityDiagnoses and fixes a specific security vulnerability, locating instances, implementing remediation, verifying fixes, and documenting changes.