We support three package manager tools for tracking Go dependencies:
- Go Modules
- Go Dep
# Go Modules
We support tracking Go dependencies using the Go Modules dependency management system and its associated file
For the fastest and most accurate results, a file containing the resolved dependency tree,
.debricked-go-dependencies.txt, has to be created prior to scanning.
This can be done by running
go mod graph followed by
go list -m all and storing the outputs separated
by two newlines between the sections in a
printf "$(go mod graph)\n\n$(go list -mod=readonly -e -m all)" > .debricked-go-dependencies.txt
.debricked-go-dependencies.txt must be put in the same directory as the corresponding
Check out our Go CI templates (opens new window) to set this up.
go mod tidy before pushing the go.mod files, which cleans up unused modules. This makes the results from our service even better.
In the future, it will be required to upload a
.debricked-go-dependencies.txt file in order to do a complete scan,
including indirect dependencies and dependency relations.
We also support Go projects using Bazel, where we scan the
WORKSPACE file format in addition to any Go file formats being used.
Even though Bazel does not have native support for Go, it is possible to add support using Gazelle (opens new window).
# Go Dep
Go Dep and its associated file
Gopkg.lock is deprecated (opens new window) and will not get any improvements present in other format, such as Go Modules.
# Supported features
# Supported File Formats
|Package Manager||File Format||Level of Support *|
|Go Modules|| ||3|
|Go Dep|| ||1|