Thanks to visit codestin.com
Credit goes to github.com

Skip to content

x/tools/gopls: add conditional vulncheck IDE support #75447

New issue
New issue
Open
Feature
Open
x/tools/gopls: add conditional vulncheck IDE support#75447
Feature
Assignees
ethanalee-work
Labels
ToolsThis label describes issues relating to any tools in the x/tools repository.goplsIssues related to the Go language server, gopls.
Milestone
gopls/v0.21.0
@ethanalee-work

Description

@ethanalee-work
ethanalee-work
opened on Sep 12, 2025

Introduction

There is an opportunity to provide proactive vulnerability scanning support via vulncheck in IDEs. Currently, this is disabled in gopls, but with advances in telemetry collection and intentional placement of tooling, we can create a pleasing and useful user experience.

Motivation

This initiative builds upon the findings presented in a UX study conducted to assess the usability of vulncheck within an IDE. It established the following:

  • Participants highly valued having precise vulnerability scanning within their code editor.
  • Participants expressed that there were points of confusion in the core workflow. Some level of automation and surfacing of vulnerabilities in the code could resolve these.
  • A UI with too much information could distract users. Having reduced complexity is something that participants desired.

With this user feedback in mind, it would be advantageous to re-integrate vulncheck tooling into IDE workflows via gopls in an intentional way. Vulncheck should not be invoked without a user’s permission, but could be brought to users’ attention at key moments (such as when new dependencies are added). This will avoid frequent pop up notifications. Thus, we will be able to provide a minimally invasive solution to vulnerability scanning that meshes well with users’ expectation of an intuitive IDE workflow.

Design

IDE Integration

  • The following components will need to be created (along with their respective telemetry):
  • Create an initial pop-up notification for users to opt in to running vulncheck (Yes, No, Never)
    • If Never is selected, then that choice should be written to .config/gopls.
  • Add a vulncheckPrompt setting to gopls/internal/settings
  • When vulncheck is run, store a hash of dependencies (perhaps in .config/gopls)
  • When dependencies are updated (if go.mod changes), decide based on the stored hash whether to prompt users again.
    • Whenever go.mod changes on disk, the workspace is reloaded. When gopls calls packages.Load on the entire workspace, the payload of package information can be used to hash the changes in dependencies.

Telemetry

  • Enable telemetry to see if users are opting into vulncheck analyses.
  • Verify if users are pressing the button to run vulncheck as a code lens on a users’ go.mod file.
  • Add telemetry for this new feature to identify if users are opting in via gopls/internal/settings

Collaboration with @findleyr

Metadata

Metadata

Assignees

Labels

ToolsThis label describes issues relating to any tools in the x/tools repository.goplsIssues related to the Go language server, gopls.

Type

Feature

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions