When sysctl net.ipv6.bindv6only is 0 (the default value), ports shown as tcp6 in netstat output are may be actually listening on both protocols. If I start with a Goss check like this:

port:
  tcp:12345:
    listening: true

And I then create a simple container, exposing a port on all interfaces (ipv4 and ipv6), like so:

$ docker run -d -p 12345:80 --name goss-test nginx

Then I'll find that I can correctly use the listening port via ipv4:

$ nc -z 127.0.0.1 12345 ; echo $?
0

However, goss will not validate the port correctly:

$ goss validate
F

Failures/Skipped:

Port: tcp:12345: listening:
Expected
    <bool>: false
to equal
    <bool>: true

Total Duration: 0.016s
Count: 1, Failed: 1, Skipped: 0

What this boils down to is: goss is ensuring netstat's output, not the actual state of the ports.

Isn't netstat generally deprecated in favour of ss, because ss does a better job of not confusing the user in ipv6 situations like this one? e.g.

$ sudo ss -lapn | grep 12345
tcp    LISTEN     0      512                   :::12345                :::*      users:(("docker-proxy",25454,4))

versus

$ sudo netstat -lapn | grep 12345
tcp6       0      0 :::12345                :::*                    LISTEN      25454/docker-proxy

(ss is more correct; this is a tcp port, not a tcp6 specific one)