Guided Remediation support for Go modules

[cedws]

Summary

Add Go (go.mod/go.sum) as a supported ecosystem for osv-scanner fix guided remediation.

Background

Guided remediation (osv-scanner fix) currently supports npm, Maven, and Gradle (#352, #1141). Go is not yet supported despite being a first-class language in the scanner itself.

Notably, osv-scanner already performs call-graph reachability analysis for Go using govulncheck under the hood (enabled by default). This means the scanning infrastructure to identify which vulnerabilities are actually reachable is already in place — the missing piece is wiring that into the remediation pipeline.

Why this matters

The Go ecosystem uniquely benefits from reachability-aware remediation:

1. Go projects often pull in many transitive dependencies that are never actually called
2. govulncheck already classifies findings as Called, Imported, or Required — providing a natural filter for which vulns actually need fixing
3. Current tools (Dependabot, Renovate) flag every vulnerable dependency regardless of reachability, creating significant noise
4. No existing tool combines Go reachability analysis with automated remediation PRs

What this would enable

A single command like osv-scanner fix --non-interactive that:

1. Identifies reachable vulnerabilities (via the existing govulncheck integration)
2. Resolves the minimum version bump needed per module
3. Applies go get + go mod tidy to fix only the reachable vulns
4. Outputs a diff / changelog for PR creation

This would make osv-scanner the first tool to offer reachability-filtered automated Go dependency remediation.

References

• Original guided remediation tracking issue: #352
• Original "suggest fixes" request: #12
• Guided remediation migration to osv-scalibr: #2413
• Maven guided remediation: #1141
• Closing comment suggesting per-ecosystem issues: #352 (comment)