From compliance
Analyze a Go codebase to determine if it is impacted by a specific CVE using multiple verification methods and assign a risk level
How this skill is triggered — by the user, by Claude, or both
Slash command
/compliance:codebase-impact-analysisThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Determines whether a Go codebase is impacted by a specific CVE by applying multiple analysis methods with increasing confidence, collecting evidence, and assigning a risk level.
Determines whether a Go codebase is impacted by a specific CVE by applying multiple analysis methods with increasing confidence, collecting evidence, and assigning a risk level.
Use this skill when:
go toolchain with go.mod in workspace rootgovulncheck: go install golang.org/x/vuln/cmd/govulncheck@latestcallgraph: go install golang.org/x/tools/cmd/callgraph@latestdigraph: go install golang.org/x/tools/cmd/digraph@latestFrom Phase 1 (cve-intelligence-gathering skill):
From Parent Command:
--algo preference for call graph analysis (default: vta)# Parse dependencies from go.mod
go list -m all
# Get detailed dependency info
go list -m -json all
go.mod from workspace rootApply the following methods in order. Each provides increasing confidence.
go.mod dependencies# Check if vulnerable package is a dependency
go list -m <vulnerable-package>
Decision Point:
# Run official Go vulnerability scanner
govulncheck ./...
Decision Point:
# Verify package is included (directly or transitively)
go list -mod=mod <vulnerable-package>
Note: Package presence alone doesn't prove vulnerable functions are called.
Delegate to the call-graph-analysis skill.
--algo preference from user, vulnerable function signature, package pathEach method provides increasing confidence:
go.mod (Method 1, 3)govulncheck confirms reachable vulnerable symbols (Method 2)Use multiple methods. Confidence determination should be data-driven, not formula-based.
Collect evidence from all methods used:
go.mod entries, go list output, version info.work/compliance/analyze-cve/{CVE-ID}/callgraph.svg)govulncheck output, vulnerability findingsEvaluate all evidence and assign a risk level. The determination should be data-driven, not formula-based.
HIGH RISK:
MEDIUM RISK:
LOW RISK:
NEEDS REVIEW:
Return structured result to parent command:
{
"skill": "codebase-impact-analysis",
"status": "success",
"risk_level": "<HIGH|MEDIUM|LOW|NEEDS_REVIEW>",
"methods_used": ["dependency_matching", "govulncheck", "direct_dependency_check", "source_code_analysis", "call_graph", "context_analysis"],
"evidence": {
"dependency": {
"package_found": true,
"current_version": "<version>",
"dependency_type": "<direct|indirect>",
"in_vulnerable_range": true
},
"govulncheck": {
"ran": true,
"cve_found": true,
"vulnerable_symbols_called": true
},
"call_graph": {
"ran": true,
"algorithm": "<vta|rta|cha|static>",
"reachable_from_main": true,
"call_chain": "main -> handler -> parse -> VULN",
"evidence_files": ["callgraph.dot", "callgraph.svg"]
},
"source_analysis": {
"import_found": true,
"function_usage_found": true,
"files": ["<file1>:<line>", "<file2>:<line>"]
},
"mitigation_factors": []
},
"confidence_assessment": {
"level": "<HIGH|MEDIUM|LOW>",
"methods_count": 4,
"gaps": ["<any gaps in analysis>"]
}
}
This skill is called from Phase 2 of the /compliance:analyze-cve command.
Input: CVE profile from Phase 1, --algo preference from user
Output: Risk level, evidence package, confidence assessment
Next: Parent command uses risk level to decide whether to generate report and proceed to remediation
Creates structured, bite-sized implementation plans from specs or requirements before writing code. Useful for breaking down multi-step tasks into testable steps with file structure and task boundaries.
10plugins reuse this skill
First indexed Jul 11, 2026
Showing the 6 earliest of 10 plugins
npx claudepluginhub bradmwilliams/ai-helpers --plugin compliance