If you maintain Go services, you've probably been here: a scanner flags a CVE, you spend 30 minutes tracing imports and call paths, and it turns out your code never touches the vulnerable function. I built GVS to automate that. Give it a repo URL and a CVE ID, and it does call graph analysis to determine whether the vulnerable symbols are actually reachable from your code. What it does: Builds call graphs using VTA, RTA, CHA, or static analysis Traces reachability from entry points to vulnerable symbols Compares dependency versions against fixed versions Detects reflection patterns that might bypass static analysis Generates SVG visualizations of call paths It runs as a self-hosted REST API or CLI. MIT licensed, written in Go. Feedback welcome — especially if you're drowning in CVE noise on a large Go codebase.