Snyk for Go
From January 1 2023 Snyk no longer supports govendor Projects. As a general security best practice, Snyk recommends using tools that are consistently maintained and up-to-date.
Once Snyk no longer supports scanning of govendor Projects, a warning will be issued and no results will be received.
The following describes how to use Snyk to scan your Go Projects.
How Snyk analyzes and builds the tree varies depending on the language and package manager for the Project and your Project's location.
To scan your dependencies in the CLI, ensure you have installed the relevant package manager and that your project contains the supported manifest files.
Snyk scans Go Modules Projects in the CLI at the package level rather than the module level, as Snyk has full access to your local source code.
To build the dependency tree, Snyk uses the
go list -json -deps ./...command, and uses the dependencies found in
XTestImportsare not supported.
When you test Go Modules Projects using the CLI, Snyk does not require their dependencies to be installed, but you must have a
go.modfile at the root of your Project.
go listuses this and your Project source code to build a complete dependency tree.
Different versions of Go generate different results for the
go list -json -depscommand. This can affect the dependency tree and the vulnerabilities that the Snyk CLI finds.
To build the dependency tree, Snyk analyzes your
When you test dep Projects using the CLI, Snyk requires installation of dependencies. Run
dep ensureto achieve this.
By default, dependencies for Go Modules Projects imported via Git are resolved at the module level rather than the package level.
This means you may see more dependencies and issues reported, including potential false positives, than for Projects tested in the CLI.
If full source code analysis is enabled, Snyk uses the
go list -json -deps ./...command to build the dependency tree the same way the CLI test does. Otherwise, it uses
go mod graph.
To build the most accurate dependency tree for Go Modules Projects imported from Git, Snyk needs to access all the files in your repository.
This enables Snyk to see the
importstatements in your
.gosource files, and determine which specific packages are used in your application. Without this access, Snyk will include all packages from the modules listed in your
To enable full source code analysis, adjust your settings as follows:
- 1.Log in to your account and select your Group and Organization.
- 2.Go to Settings > Languages.
- 3.Select Edit settings for Go.
- 4.Toggle full source code analysis on or off.
Enable full source code analysis
Go Modules Projects that depend on modules from private Git repositories are supported when the private repositories are in the same Git Organization as the main Project repository.
Imports for Projects with private modules from repositories in other Git organizations will fail.
If you're using private Go Modules integrated via the Broker, each private module must have a
To build the dependency tree, Snyk analyzes the
Gopkg.lockfiles in your Git repository.