Context
OSV Scanner v2.4.0 (released 2026-06-18) added a ScanGoModVersion config option that defaults to disabled. This prevents the scanner from treating the go directive in go.mod as a vulnerability signal for Go stdlib CVEs — which is the correct behavior since the directive specifies minimum language version, not the actual toolchain used to compile.
MegaLinter v9.6.0 (latest as of 2026-07-16) still ships osv-scanner 2.3.8 via Alpine packages, which always scans the go.mod version with no way to disable it. This forces us to:
- Keep
go.mod pinned to whatever version MegaLinter's container has
- Maintain ignore entries for stdlib CVEs that don't apply to our compiled binary
Action
Once MegaLinter ships a version with osv-scanner ≥ 2.4.0:
- Add to
osv-scanner.toml:
- Remove all
[[IgnoredVulns]] entries for Go stdlib CVEs (GO-2026-4970, GO-2026-5856, and any others accumulated)
- Bump
go.mod to the latest Go patch version without worrying about scanner compatibility
How to check
MegaLinter pins osv-scanner via Alpine packages:
ARG REPOSITORY_OSV_SCANNER_VERSION=2.3.8-r1
Watch for MegaLinter releases where this bumps to ≥ 2.4.0, or check:
References
Context
OSV Scanner v2.4.0 (released 2026-06-18) added a
ScanGoModVersionconfig option that defaults to disabled. This prevents the scanner from treating thegodirective ingo.modas a vulnerability signal for Go stdlib CVEs — which is the correct behavior since the directive specifies minimum language version, not the actual toolchain used to compile.MegaLinter v9.6.0 (latest as of 2026-07-16) still ships osv-scanner 2.3.8 via Alpine packages, which always scans the go.mod version with no way to disable it. This forces us to:
go.modpinned to whatever version MegaLinter's container hasAction
Once MegaLinter ships a version with osv-scanner ≥ 2.4.0:
osv-scanner.toml:[[IgnoredVulns]]entries for Go stdlib CVEs (GO-2026-4970, GO-2026-5856, and any others accumulated)go.modto the latest Go patch version without worrying about scanner compatibilityHow to check
MegaLinter pins osv-scanner via Alpine packages:
ARG REPOSITORY_OSV_SCANNER_VERSION=2.3.8-r1Watch for MegaLinter releases where this bumps to ≥ 2.4.0, or check:
References