# Go

We support three package manager tools for tracking Go dependencies:

  • Go Modules
  • Go Dep
  • Bazel

# Go Modules

We support tracking Go dependencies using the Go Modules dependency management system and its associated file go.mod.

For the fastest and most accurate results, a file containing the resolved dependency tree, .debricked-go-dependencies.txt, has to be created prior to scanning.

This can be done by running go mod graph followed by go list -m all and storing the outputs separated by two newlines between the sections in a .debricked-go-dependencies.txt.

printf "$(go mod graph)\n\n$(go list -mod=readonly -e -m all)" > .debricked-go-dependencies.txt

Every .debricked-go-dependencies.txt must be put in the same directory as the corresponding go.mod.

Check out our Go CI templates (opens new window) to set this up.

Go tip

Run go mod tidy before pushing the go.mod files, which cleans up unused modules. This makes the results from our service even better.

Warning

In the future, it will be required to upload a .debricked-go-dependencies.txt file in order to do a complete scan, including indirect dependencies and dependency relations.

# Bazel

We also support Go projects using Bazel, where we scan the WORKSPACE file format in addition to any Go file formats being used. Even though Bazel does not have native support for Go, it is possible to add support using Gazelle (opens new window).

# Go Dep

Note

Go Dep and its associated file Gopkg.lock is deprecated (opens new window) and will not get any improvements present in other format, such as Go Modules.

# Supported features

Package Manager Security License Health
Bazel
Go

# Supported File Formats

Package Manager File Format Level of Support *
Bazel WORKSPACE 3
Go Modules go.mod 3
Go Dep gopkg.lock 1