Snyk supports testing and monitoring of Go projects that have their dependencies managed by Go Modules, dep and govendor.
The following describes how to use Snyk to scan your Go projects:
Features
Note
Features might not be available, depending on your subscription plan.
Package |
CLI support |
Git support |
License scanning |
Remediation |
Runtime monitoring |
---|---|---|---|---|---|
✔︎ |
✔︎ (Beta) |
✔︎ |
|
||
✔︎ |
✔︎ |
✔︎ |
|
|
|
govendor
|
✔︎ |
✔︎ |
✔︎ |
|
How it works
Snyk CLI tool for Go projects
Go Modules
In order to build the dependency tree Snyk uses the go list -json -deps
command.
Note
Snyk scans Go Modules projects in the CLI at the package level rather than on the module level, as we have full access to your project source code.
This is beneficial since you might use a vulnerable module but not the vulnerable package.
When testing Go Modules projects via the CLI Snyk does not require dependencies to be installed, but you must have a go.mod
file at the root of your project, go list
uses this and your project source code to build a complete dependency tree.
Dep
In order to build the dependency tree Snyk analyzes your Gopkg.lock
files.
When testing dep projects via the CLI Snyk requires dependencies to be installed, run dep ensure
to achieve this.
Govendor
In order to build the dependency tree Snyk analyzes your vendor/vendor.json
files.
When testing Govendor projects via the CLI Snyk requires dependencies to be installed, run govendor sync
to achieve this.
Git services for Go projects
Go Modules (Beta)
Note
Go Modules Git support is currently in Beta, and being gradually rolled out to users.
If you would like to get access earlier, contact support@snyk.io
In order to build the dependency tree Snyk runs the go mod graph
command using the go.mod
files in the selected repository.
Note
For Go Modules projects imported via Git, dependencies are resolved at the module level rather than the package level, as we do not have full access to your project source code.
Private modules
Go Modules projects that depend on modules from private Git repositories are currently only supported where the private repositories are in the same Git organisation as the main project repository.
Imports for projects with private modules from repos in other Git organisations will fail. Support for private module dependencies from other Git organisations is planned for the future.
Broker
Projects imported via new Snyk Broker clients should work as expected.
To add support to existing clients created before Dec 30th 2020, you should add go.mod
and go.sum
to your accept.json
file, as per the changes in this pull request.
Dep
In order to build the dependency tree Snyk analyzes the vendor/vendor.json
files in the selected repository.
Govendor
In order to build the dependency tree Snyk analyzes the Gopkg.lock
files in the selected repository.