# Go

We support three package manager tools for tracking Go dependencies:

  • Go Modules
  • Go Dep
  • Bazel

# Go Modules

We support tracking Go dependencies using the Go Modules dependency management system and its associated file go.mod.

For the fastest and most accurate results, a file containing the resolved dependency tree, .debricked-go-dependencies.txt, has to be created prior to scanning.

This can be done by running go mod graph followed by go list -m all and storing the outputs separated by two newlines between the sections in a .debricked-go-dependencies.txt.

printf "$(go mod graph)\n\n$(go list -mod=readonly -e -m all)" > .debricked-go-dependencies.txt

Every .debricked-go-dependencies.txt must be put in the same directory as the corresponding go.mod.

Check out our Go CI templates (opens new window) to set this up.

Go tip

Run go mod tidy before pushing the go.mod files, which cleans up unused modules. This makes the results from our service even better.


In the future, it will be required to upload a .debricked-go-dependencies.txt file in order to do a complete scan, including indirect dependencies and dependency relations.

# Bazel

We also support Go projects using Bazel, where we scan the WORKSPACE file format in addition to any Go file formats being used. Even though Bazel does not have native support for Go, it is possible to add support using Gazelle (opens new window).

# Go Dep


Go Dep and its associated file Gopkg.lock is deprecated (opens new window) and will not get any improvements present in other format, such as Go Modules.

# Supported features

Package Manager Security License Health