# Go
We support three package manager tools for tracking Go dependencies:
- Go Modules
- Go Dep
- Bazel
# Go Modules
We support tracking Go dependencies using the Go Modules dependency management system and its associated file go.mod
.
For the fastest and most accurate results, a file containing the resolved dependency tree,
.debricked-go-dependencies.txt
, has to be created prior to scanning.
This can be done by running go mod graph
followed by go list -m all
and storing the outputs separated
by two newlines between the sections in a .debricked-go-dependencies.txt
.
printf "$(go mod graph)\n\n$(go list -mod=readonly -e -m all)" > .debricked-go-dependencies.txt
Every .debricked-go-dependencies.txt
must be put in the same directory as the corresponding
go.mod
.
Check out our Go CI templates (opens new window) to set this up.
Go tip
Run go mod tidy
before pushing the go.mod files, which cleans up unused modules. This makes the results from our service even better.
Warning
In the future, it will be required to upload a .debricked-go-dependencies.txt
file in order to do a complete scan,
including indirect dependencies and dependency relations.
# Bazel
We also support Go projects using Bazel, where we scan the WORKSPACE
file format in addition to any Go file formats being used.
Even though Bazel does not have native support for Go, it is possible to add support using Gazelle (opens new window).
# Go Dep
Note
Go Dep and its associated file Gopkg.lock
is deprecated (opens new window) and will not get any improvements present in other format, such as Go Modules.
# Supported features
Package Manager | Security | License | Health |
---|---|---|---|
Bazel | ✓ | ✓ | ✓ |
Go | ✓ | ✓ | ✓ |