gorisk

<img src="assets/gorisk.png" alt="gorisk" width="390"/>

Behavioral supply-chain risk intelligence from code structure. Maps what your dependencies can do — network access, exec, filesystem writes, unsafe pointers — not just what CVEs they carry.

---

Why gorisk

| Tool | CVEs | Capabilities | Evidence | Upgrade risk | Blast radius | Polyglot | Offline | Free | |------|------|-------------|---------|--------------|-------------|----------|---------|------| | govulncheck | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | | Snyk | ✅ | ❌ | ❌ | partial | ❌ | partial | ❌ | SaaS | | goda | ❌ | ❌ | ❌ | ❌ | partial | ❌ | ✅ | ✅ | | GoSurf | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | | gorisk | via OSV | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |

Key differentiators:

• Polyglot — 22 languages: Go, Node.js, PHP, Python, Rust, Java, Ruby, C#/.NET, Dart, Swift, Elixir, Kotlin, Scala, C/C++, Haskell, Clojure, Erlang, OCaml, Julia, R, Perl, Lua. Every language supports the full feature suite — scan, reachability, upgrade intelligence, PR diff.
• Capability detection — detect which packages can read files, make network calls, spawn processes, or use unsafe/eval. Know what your dependencies can do before they're in production.
• Evidence + confidence — every capability detection is backed by file path, line number, match context, and a confidence score (import = 90%, call site = 75%, install script = 85%).
• Capability diff — compare two versions of a dependency and detect capability escalation. If v1.2.3 → v1.3.0 quietly added exec or network, gorisk flags it as a supply chain risk signal.
• Deterministic output — all output is sorted; every scan produces a short SHA-256 graph checksum so CI can detect silent graph changes between runs.
• CVE listing — full list of OSV vulnerability IDs per module, not just a count.
• Blast radius — simulate removing a module and see exactly which packages and binaries break, plus LOC impact.
• Upgrade risk — diff exported symbols between versions (Go) or lockfile versions (all other languages) to detect breaking API changes before you upgrade.
• Health scoring — combines commit activity, release cadence, archived status, and CVE count into a single score (parallel, 10 workers).
• Reachability — prove a capability is reachable from main via callgraph (Go) or import graph (all other languages). Supports --entry to target a specific binary.
• History + trend — snapshot risk over time, diff between snapshots, view score sparklines per module.
• CI-native — SARIF output compatible with GitHub Code Scanning. Exit codes for policy gating. --timings flag for build profiling.

---

Install

go install github.com/1homsi/gorisk/cmd/gorisk@latest

---

Language support

gorisk auto-detects the language from the project directory. Use --lang to override.

gorisk scan              # auto-detect
gorisk scan --lang go    # force Go
gorisk scan --lang node  # force Node.js
gorisk scan --lang python
gorisk scan --lang java
gorisk scan --lang rust
# ... any --lang value from the table below

When both go.mod and package.json are present (monorepo), both analyzers run and their dependency graphs are merged.

Supported languages

All 22 languages support: scan, capabilities, explain, graph, reachability, upgrade, pr, sbom, licenses, viz, history, impact, and trace.

All 22 languages use ✅ Full analysis depth — deep AST + interprocedural callgraph analysis with function-level capability propagation.

| Language | --lang | Analysis depth | Detection signal | Lockfile / manifest | |----------|----------|---------------|-----------------|---------------------| | Go | go | ✅ Full | go.mod | go.mod + go list; go.work workspace | | Node.js | node | ✅ Full | package.json | package-lock.json v1/v2/v3, yarn.lock, pnpm-lock.yaml; npm/yarn/pnpm workspaces | | PHP | php | ✅ Full | composer.json / composer.lock | composer.lock; Laravel, Symfony, bare Composer | | Python | python | ✅ Full | pyproject.toml / requirements.txt | poetry.lock, Pipfile.lock, requirements.txt, pyproject.toml | | Java | java | ✅ Full | pom.xml / build.gradle | pom.xml, gradle.lockfile, build.gradle / build.gradle.kts | | Rust | rust | ✅ Full | Cargo.toml | Cargo.lock, Cargo.toml | | Ruby | ruby | ✅ Full | Gemfile / Gemfile.lock | Gemfile.lock, Gemfile | | C#/.NET | dotnet | ✅ Full | packages.lock.json / *.csproj | NuGet packages.lock.json, .csproj PackageReference | | Dart/Flutter | dart | ✅ Full | pubspec.lock / pubspec.yaml | pubspec.lock, pubspec.yaml | | Swift | swift | ✅ Full | Package.resolved / Package.swift | Package.resolved v1/v2/v3, Package.swift | | Elixir | elixir | ✅ Full | mix.lock / mix.exs | mix.lock, mix.exs | | Kotlin | kotlin | ✅ Full | libs.versions.toml / build.gradle.kts | gradle/libs.versions.toml, build.gradle.kts, build.gradle | | Scala | scala | ✅ Full | build.sbt | build.sbt | | C/C++ | cpp | ✅ Full | vcpkg.json / conanfile.py | vcpkg.json, conanfile.py, conanfile.txt | | Haskell | haskell | ✅ Full | cabal.project.freeze / stack.yaml.lock | cabal.project.freeze, stack.yaml.lock, *.cabal | | Clojure | clojure | ✅ Full | deps.edn / project.clj | deps.edn (tools.deps), project.clj (Leiningen) | | Erlang/OTP | erlang | ✅ Full | rebar.lock / rebar.config | rebar.lock, rebar.config | | OCaml | ocaml | ✅ Full | *.opam.locked / opam.locked | *.opam.locked, opam.locked, *.opam | | Julia | julia | ✅ Full | Manifest.toml | Manifest.toml, Project.toml | | R | r | ✅ Full | renv.lock / DESCRIPTION | renv.lock, DESCRIPTION | | Perl | perl | ✅ Full | cpanfile.snapshot / cpanfile | cpanfile.snapshot (Carton), cpanfile | | Lua | lua | ✅ Full | luarocks.lock / *.rockspec | luarocks.lock, *.rockspec |

Full analysis resolves interprocedural call chains across package boundaries — gorisk traces main() → helper → os/exec and scores the capability at each hop with confidence decay. All 22 languages have function-boundary detection, call edge extraction, and are wired through the k=1 CFA context-sensitive fixpoint engine.

Want to add a language? See Contributing.

---

Capability taxonomy

All languages map to the same 9 capabilities. Risk level is derived from the total weight: LOW < 10, MEDIUM ≥ 10, HIGH ≥ 30.

| Capability | Weight | Meaning | |-----------|--------|---------| | fs:read | 5 | Reads from the filesystem | | fs:write | 10 | Writes to or deletes files | | network | 15 | Makes outbound network connections | | exec | 20 | Spawns subprocesses or shell commands | | env | 5 | Reads environment variables | | crypto | 5 | Uses cryptographic primitives | | reflect | 5 | Uses runtime reflection | | unsafe | 25 | Bypasses memory/type safety (unsafe, eval, vm) | | plugin | 20 | Loads or executes external code at runtime |

For the full per-language detection reference (imports, call-site patterns, confidence levels, and AST detection for all 22 supported languages), see docs/capability-detection.md.

---

Commands

gorisk scan

Full scan: capabilities + health scoring + CVE listing + CI gate. Prints a graph checksum for reproducibility.

# Basic
gorisk scan

# Force language
gorisk scan --lang go
gorisk scan --lang node

# Output formats
gorisk scan --json
gorisk scan --sarif > results.sarif

# CI failure threshold
gorisk scan --fail-on medium      # fail if any MEDIUM+ risk package
gorisk scan --fail-on low         # strictest: fail on any capability

# Policy file (see Policy section below)
gorisk scan --policy .gorisk-policy.json

# Limit output to top N packages by risk score
gorisk scan --top 10

# Filter to a specific module and its transitive deps
gorisk scan --focus github.com/foo/bar

# Hide findings below 65% confidence
gorisk scan --hide-low-confidence

# Monorepo: merge all workspace members (go.work / npm/pnpm workspaces)
gorisk scan --workspace

# Diff against a base ref (requires git)
gorisk scan --base origin/main

# Online mode: include health scores and CVE data
gorisk scan --online

# Performance instrumentation
gorisk scan --timings

# Combination
gorisk scan --policy policy.json --fail-on high --json

Output (text):

graph checksum: a3f2b1c9d5e78f01

=== Capability Report ===

PACKAGE                  MODULE                   CAPABILITIES        SCORE  RISK
─────────────────────────────────────────────────────────────────────────────────
golang.org/x/net/http2   golang.org/x/net         network               15  MEDIUM
os/exec                  stdlib                   exec                  20  HIGH

=== Health Report ===

MODULE            VERSION       SCORE  CVEs  STATUS
─────────────────────────────────────────────────
golang.org/x/net  v0.25.0          85     0  OK

✓ PASSED

--timings output (appended after normal output):

=== Timings ===
graph load                1.23s
capability detect         0.08s
health scoring            4.51s  (24 modules, 10 workers)
  github API              3.92s  (48 calls)
  osv API                 0.59s  (24 calls)
output formatting         0.01s
────────────────────────────────────────
total                     5.83s

--json adds:

• "graph_checksum" — short SHA-256 of the dependency graph for diffing between CI runs

gorisk scan --json | jq .graph_checksum

--sarif produces SARIF 2.1.0 compatible with GitHub Code Scanning (rules GORISK001 = high-risk capability, GORISK002 = low health score).

Exit codes: 0 = passed, 1 = policy failure, 2 = error.

---