Snyk for Go
From January 1 2023 Snyk no longer supports govendor Projects. As a general security best practice, Snyk recommends using tools that are consistently maintained and up-to-date.
Once Snyk no longer supports scanning of govendor Projects, a warning will be issued and no results will be received.
Snyk supports testing and monitoring of Go Projects with dependencies managed by Go Modules and dep.
The following describes how to use Snyk to scan your Go Projects.
Features of Snyk for Go
How Snyk for Go works
Snyk builds a dependency tree, then uses the vulnerability database to find vulnerabilities in any of the modules or packages in the tree.
How Snyk analyzes and builds the tree varies depending on the language and package manager for the Project and your Project's location.
Snyk CLI for Go Projects
Go Modules and Snyk CLI
To build the dependency tree, Snyk uses the go list -json -deps ./... command.
When you test Go Modules Projects using the CLI, Snyk does not require their dependencies to be installed, but you must have a go.mod file at the root of your Project. go list uses this and your Project source code to build a complete dependency tree.
Dep and Snyk CLI
To build the dependency tree, Snyk analyzes your Gopkg.lock files.
When you test dep Projects using the CLI, Snyk requires installation of dependencies. Run dep ensure to achieve this.
Git services for Go Projects
Go Modules and Git
By default, dependencies for Go Modules Projects imported via Git are resolved at the module level rather than the package level.
This means you may see more dependencies and issues reported, including potential false positives, than for Projects tested in the CLI.
To avoid this issue and achieve more accurate scans, enable full source code analysis.
If full source code analysis is enabled, Snyk uses the go list -json -deps ./... command to build the dependency tree. Otherwise, it uses go mod graph .
Enable full source code analysis
To build the most accurate dependency tree for Go Modules Projects imported from Git, Snyk needs to access all the files in your repository.
This enables Snyk to see the import statements in your .go source files, and determine which specific packages are used in your application. Without this access, Snyk will include all packages from the modules listed in your go.mod file.
To enable full source code analysis, adjust your settings as follows:
Log in to your account and select your Group and Organization.
Go to Settings > Languages.
Select Edit settings for Go.
Toggle full source code analysis on or off.
For more details on levels of access to your repository required by different Snyk features, see How Snyk handles your data.
Private modules
Go Modules Projects that depend on modules from private Git repositories are supported when the private repositories are in the same Git Organization as the main Project repository.
Imports for Projects with private modules from repositories in other Git organizations will fail.
Private module support in different SCMs varies depending on whether full source code analysis is enabled or disabled.
Azure Repos
Bitbucket Cloud
Bitbucket Server
GitHub
GitHub Enterprise
Gitlab
GitHub
GitHub Enterprise
Bitbucket Cloud
Snyk Broker
Snyk Broker is currently only supported when full source code analysis is disabled
Go Modules Projects imported via new Snyk Broker clients should work as expected.
To add support to clients created before December 30, 2020, add go.mod and go.sum to your accept.json file, as per the changes in this pull request.
If you're using private Go Modules integrated via the Broker, each private module must have a go.mod file defined.
Dep and Git
To build the dependency tree, Snyk analyzes the Gopkg.lock files in your Git repository.
Last updated
Was this helpful?