From compliance
Analyzes Go codebases for CVE impact using dependency checks, govulncheck scanning, callgraph analysis, and source searches; assigns risk level with evidence.
How this skill is triggered — by the user, by Claude, or both
Slash command
/compliance:codebase-impact-analysisThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Determines whether a Go codebase is impacted by a specific CVE by applying multiple analysis methods with increasing confidence, collecting evidence, and assigning a risk level.
Determines whether a Go codebase is impacted by a specific CVE by applying multiple analysis methods with increasing confidence, collecting evidence, and assigning a risk level.
Use this skill when:
go toolchain with go.mod in workspace rootgovulncheck: go install golang.org/x/vuln/cmd/govulncheck@latestcallgraph: go install golang.org/x/tools/cmd/callgraph@latestdigraph: go install golang.org/x/tools/cmd/digraph@latestFrom Phase 1 (CVE Intelligence Gathering skill):
From Parent Command:
--algo preference for call graph analysis (default: vta)# Parse dependencies from go.mod
go list -m all
# Get detailed dependency info
go list -m -json all
go.mod from workspace rootApply the following methods in order. Each provides increasing confidence.
go.mod dependencies# Check if vulnerable package is a dependency
go list -m <vulnerable-package>
Decision Point:
# Run official Go vulnerability scanner
govulncheck ./...
Decision Point:
# Verify package is included (directly or transitively)
go list -mod=mod <vulnerable-package>
Note: Package presence alone doesn't prove vulnerable functions are called.
Delegate to the call-graph-analysis skill.
--algo preference from user, vulnerable function signature, package pathEach method provides increasing confidence:
go.mod (Method 1, 3)govulncheck confirms reachable vulnerable symbols (Method 2)Use multiple methods. Confidence determination should be data-driven, not formula-based.
Collect evidence from all methods used:
go.mod entries, go list output, version info.work/compliance/analyze-cve/{CVE-ID}/callgraph.svg)govulncheck output, vulnerability findingsEvaluate all evidence and assign a risk level. The determination should be data-driven, not formula-based.
HIGH RISK:
MEDIUM RISK:
LOW RISK:
NEEDS REVIEW:
Return structured result to parent command:
{
"skill": "codebase-impact-analysis",
"status": "success",
"risk_level": "<HIGH|MEDIUM|LOW|NEEDS_REVIEW>",
"methods_used": ["dependency_matching", "govulncheck", "direct_dependency_check", "source_code_analysis", "call_graph", "context_analysis"],
"evidence": {
"dependency": {
"package_found": true,
"current_version": "<version>",
"dependency_type": "<direct|indirect>",
"in_vulnerable_range": true
},
"govulncheck": {
"ran": true,
"cve_found": true,
"vulnerable_symbols_called": true
},
"call_graph": {
"ran": true,
"algorithm": "<vta|rta|cha|static>",
"reachable_from_main": true,
"call_chain": "main -> handler -> parse -> VULN",
"evidence_files": ["callgraph.dot", "callgraph.svg"]
},
"source_analysis": {
"import_found": true,
"function_usage_found": true,
"files": ["<file1>:<line>", "<file2>:<line>"]
},
"mitigation_factors": []
},
"confidence_assessment": {
"level": "<HIGH|MEDIUM|LOW>",
"methods_count": 4,
"gaps": ["<any gaps in analysis>"]
}
}
This skill is called from Phase 2 of the /compliance:analyze-cve command.
Input: CVE profile from Phase 1, --algo preference from user
Output: Risk level, evidence package, confidence assessment
Next: Parent command uses risk level to decide whether to generate report and proceed to remediation
12plugins reuse this skill
First indexed Jul 18, 2026
Showing the 6 earliest of 12 plugins
npx claudepluginhub petr-muller/openshift-ai-helpers --plugin complianceAnalyzes Go codebases for CVE impact using dependency checks, govulncheck scanning, callgraph analysis, and source searches; assigns risk level with evidence.
Determines whether a known CVE/GHSA advisory is actually exploitable in a given project using reachability analysis across multiple ecosystems (npm, Maven, pip, Go, Rust, etc.).
Scans a cloned repository for a specific CVE using version-matched toolchains for Go, Node.js, and Python. Writes structured result to a JSON file for automated triage.