Recently the go team announced govulncheck which can reduce the amount of false positives because it doesn't go purely off of libraries imported
https://go.dev/security/vuln/
Integrations with pkg.go.dev and govulncheck to enable developers to find vulnerabilities in their projects. The govulncheck command analyzes your codebase and only surfaces vulnerabilities that actually affect you, based on which functions in your code are transitively calling vulnerable functions. Govulncheck provides a low-noise, reliable way to find known vulnerabilities in your projects.
currently trivy flags kube-bench as having CVE-2020-8911 when it doesn't actually use the S3 features of the aws-sdk-go library
aquasecurity/kube-bench#1268
This can be helped by libraries being split into features like the new aws-sdk-go-v2 does but govulncheck also tackles this
Recently the go team announced govulncheck which can reduce the amount of false positives because it doesn't go purely off of libraries imported
https://go.dev/security/vuln/
currently trivy flags kube-bench as having CVE-2020-8911 when it doesn't actually use the S3 features of the
aws-sdk-golibraryaquasecurity/kube-bench#1268
This can be helped by libraries being split into features like the new aws-sdk-go-v2 does but govulncheck also tackles this