Go
Supported frameworks and package managers
Code analysis
Snyk Code support for Go is limited.
Open source and licensing
Beginning on January 1 2023 Snyk no longer supports govendor Projects. As a general security best practice, Snyk recommends using tools that are consistently maintained and up-to-date.
Now that Snyk no longer supports scanning of govendor Projects, a warning is issued and no results are provided.
Snyk supports testing and monitoring of Go Projects with dependencies managed by Go Modules and dep.
Open source policy
To manage licenses from your developer workflows through policy, see the following topics:
Open source license compliance
To check compliance for open source licenses, see Snyk License Compliance Management.
Open source supported features
Feature availability Features might not be available, depending on your plan. See pricing plans for more details.
| Package managers / Features | CLI support | Git support | License scanning | Fix PRs |
|---|---|---|---|---|
✔︎ | ✔︎ | ✔︎ | ||
✔︎ | ✔︎ | ✔︎ |
After Snyk has built the dependencies tree, Snyk uses the vulnerability database to find vulnerabilities in any of the packages anywhere in the dependency tree.
To scan your dependencies, ensure you have first installed the relevant package manager, and that your Project contains the supported manifest files.
The way Snyk analyzes and builds the dependencies tree varies depending on the language and package manager of the Project, as well as the location of your Project.
Getting started with Snyk for Go across environments
Snyk CLI
Prerequisites
Ensure you have installed the relevant package manager before you begin using the Snyk CLI (open source).
Ensure you have included the relevant manifest files supported by Snyk before testing.
Code analysis
To start testing your code using Snyk Code open your repository in a terminal and run the following command:
To customize test options, run other commands, exclude directories and files, and explore the results in different formats, see the following:
Open source and licensing
To scan your dependencies in the CLI, ensure you have installed the relevant package manager and that your Project contains the supported manifest files.
Go Modules and Snyk CLI
Snyk scans Go Modules Projects in the CLI at the package level rather than the module level, as Snyk has full access to your local source code.
Packages from the Go standard library are not supported or included in the dependency tree.
Packages under golang.org/x/ which are part of the Go Project but outside the main Go tree are supported.
To build the dependency tree, Snyk uses the go list -json -deps ./... command, and the dependencies found in Imports .
TestImports and XTestImports are not supported.
When you test Go Modules Projects using the CLI, Snyk does not require their dependencies to be installed, but you must have a go.mod file at the root of your Project. go list uses this and your Project source code to build a complete dependency tree.
Different versions of Go generate different results for the go list -json -deps command. This can affect the dependency tree and the vulnerabilities that the Snyk CLI finds.
Dep and Snyk CLI
To build the dependency tree, Snyk analyzes your Gopkg.lock files.
When you test dep Projects using the CLI, Snyk requires installation of dependencies. Run dep ensure to achieve this.
Snyk Web UI (Git repository integration)
Go Modules and Git
By default, dependencies for Go Modules Projects imported using Git are resolved at the module level rather than the package level.
This means you may see more dependencies and issues reported, including potential false positives, than for Projects tested in the CLI.
To avoid this issue and achieve more accurate scans, enable full source code analysis.
If full source code analysis is enabled, Snyk uses the go list -json -deps ./... command to build the dependency tree the same way the CLI test does. Otherwise, it uses go mod graph .
Enable full source code analysis
Full source code analysis for Go Modules is currently in Early Access.
To build the most accurate dependency tree for Go Modules Projects imported from Git, Snyk needs to access all the files in your repository.
This enables Snyk to see the import statements in your .go source files, and determine which specific packages are used in your application. Without this access, Snyk will include all packages from the modules listed in your go.mod file.
To enable full source code analysis, adjust your settings as follows:
Log in to your account and select your Group and Organization.
Navigate to Settings, then Languages.
Select Edit settings for Go.
Toggle full source code analysis on or off.
For more details on levels of access to your repository required by different Snyk features, see How Snyk handles your data.
Private modules
Go modules projects that rely on modules from private Git repositories are supported if those repositories are in the same Git organization as the main project repository.
If you have private modules in repositories from other Git organizations, your Project imports may not work properly.
Private module support in different SCMs varies depending on whether full source code analysis is enabled or disabled.
| Full source code analysis enabled | Full source code analysis disabled |
|---|---|
|
|
Snyk Broker
Snyk Broker is currently supported only when full source code analysis is disabled
Go Modules Projects imported using new Snyk Broker clients should work as expected.
To add support to clients created before December 30, 2020, add go.mod and go.sum to your accept.json file, as per the changes in this pull request.
If you're using private Go Modules integrated through the Broker, each private module must have a go.mod file defined.
Dep and Git
To build the dependency tree, Snyk analyzes the Gopkg.lock files in your Git repository.
What's next?
Snyk integrations
🔗 For integrated development environments, see Use Snyk in your IDE.
🔗 If you prefer continuous integration/continuous delivery workflows, you can scan with Snyk based on the integration with your automation software (see Snyk CI/CD and Snyk API).
Troubleshooting
If you need help, contact Snyk Support.
Last updated
