SupportAPI docsProduct updatesSign up for free
Search…
Snyk User Documentation
Introducing Snyk
Getting started
PRODUCTS
Snyk Open Source
Open Source basics
Language & package manager support
Snyk for JavaScript
Snyk for Java (Gradle, Maven)
Snyk for .NET
Snyk for Python
Snyk for Golang
Snyk for Swift and Objective-C (CocoaPods)
Snyk for C / C++
Snyk for Scala
Snyk for Ruby
Snyk for PHP
Snyk for Elixir
Snyk for Bazel
Licenses
License policies
Dependency management
Snyk Code
Snyk Container
Snyk Infrastructure as Code
FEATURES
Snyk CLI
Snyk API
Integrations
User and group management
Fixing and prioritizing issues
Reports
Other tools
TUTORIALS
Getting Started
Amazon Web Services
Atlassian
CircleCI
Docker
Dynatrace
GCP
GitHub
Microsoft Azure
Oracle Cloud Infrastructure
Red Hat
SpringOne
MORE INFO
Disclosing vulnerabilities
How Snyk handles your data
Powered By GitBook
Snyk for Golang
Snyk supports testing and monitoring of Go projects that have their dependencies managed by Go Modules, dep and govendor.
The following describes how to use Snyk to scan your Go projects:

Features

Note Features might not be available, depending on your subscription plan.
Package managers / Features
CLI support
Git support
License scanning
Fixing
Runtime monitoring
​Go Modules​
✔︎
✔︎
✔︎
​
​
​dep​
✔︎
✔︎
✔︎
​
​
​govendor​
✔︎
✔︎
✔︎
​
​

How it works

Once we've built the tree, we can use our vulnerability database to find vulnerabilities in any of the modules or packages anywhere in the dependency tree.
Note In order to scan your dependencies in the CLI, you must ensure you have first installed the relevant package manager, and that your project contains the supported manifest files.
The way by which Snyk analyzes and builds the tree varies depending on the language and package manager of the project, as well as the location of your project.

Snyk CLI tool for Go projects

Go Modules
In order to build the dependency tree Snyk uses the go list -json -deps command.
Note Snyk scans Go Modules projects in the CLI at the package level rather than on the module level, as we have full access to your project source code. This is beneficial since you might use a vulnerable module but not the vulnerable package.
When testing Go Modules projects via the CLI Snyk does not require dependencies to be installed, but you must have a go.mod file at the root of your project, go list uses this and your project source code to build a complete dependency tree.
Note Different versions of the Go generate different results for the go list -json -deps command. This can affect the dependency tree and the vulnerabilities that the Snyk CLI will find.
Dep
In order to build the dependency tree Snyk analyzes your Gopkg.lock files.
When testing dep projects via the CLI Snyk requires dependencies to be installed, run dep ensure to achieve this.
Govendor
In order to build the dependency tree Snyk analyzes your vendor/vendor.json files.
When testing Govendor projects via the CLI Snyk requires dependencies to be installed, run govendor sync to achieve this.

Git services for Go projects

Go Modules

Note For Go Modules projects imported via Git, dependencies are resolved at the module level rather than the package level, as we do not have full access to your project source code. This means you may see more issues (including potential false positives) reported than for projects tested in the CLI, as we report all vulnerabilities for each module not just the package(s) referenced in your source code.
In order to build the dependency tree Snyk runs the go mod graph command using the go.mod files in the selected repository.
Private modules
Go Modules projects that depend on modules from private Git repositories are supported where the private repositories are in the same Git organisation as the main project repository.
Imports for projects with private modules from repos in other Git organisations will fail. Support for private module dependencies from other Git organisations is planned for the future.
Private modules are supported for GitHub and Bitbucket Cloud. GitLab and Bitbucket Server are not currently supported.
Broker
Projects imported via the new Snyk Broker clients should work as expected.
To add support to existing clients created before Dec 30th 2020, you should add go.mod and go.sum to your accept.json file, as per the changes in this pull request.
If you are using private Go Modules (repositories) integrated via the broker, please note that we require each private module to have a go.mod file defined.
Dep
In order to build the dependency tree Snyk analyzes the Gopkg.lock files in the selected repository.
Govendor
In order to build the dependency tree Snyk analyzes the vendor/vendor.json files in the selected repository.
Previous
Snyk for Python
Next
Snyk for Swift and Objective-C (CocoaPods)
Last modified 6d ago
Export as PDF
Copy link
Edit on GitHub
Contents
Features
How it works
Snyk CLI tool for Go projects
Git services for Go projects
Go Modules