Go - Go Modules, Go Dep, Bazel

  • 17 January 2023
  • 0 replies

Debricked supports tracking Go dependencies via:

  • Go Modules, using go.mod files

  • Go Dep, using gopkg.lok files

  • Bazel, using WORKSPACE files


Go Modules

We support tracking Go dependencies using the Go Modules dependency management system and its associated file go.mod.

For the fastest and most accurate results, a file containing the resolved dependency tree, .debricked-go-dependencies.txt, has to be created prior to scanning.

This can be done by running go mod graph followed by go list -m all and storing the outputs separated by two new lines between the sections in  .debricked-go-dependencies.txt.


printf "$(go mod graph)\n\n$(go list -mod=readonly -e -m all)" > .debricked-go-dependencies.txt


Every .debricked-go-dependencies.txt must be put in the same directory as the corresponding go.mod. Check out our Go CI templates to learn how to set it up.

We also recommend running go mod tidy, which cleans up unused modules, before pushing the go.mod files, which makes the results of our service more accurate.



We support Go projects using Bazel, scanning the WORKSPACE file format in addition to any Go file formats being used. Even though Bazel does not have native support for Go, it is possible to add support using Gazelle.


Go Dep

Go Dep and its associated file Gopkg.lock is deprecated and will not get any improvements present in other formats, such as Go Modules.


Supported file formats and features:


Package Manager

Supported File Formats

Root dependencies 

Indirect dependencies

Dependency trees

Security Scanning

License Scanning

Root Fix





Go Modules


Go Dep






Have a look at the overview of all supported languages.

0 replies

Be the first to reply!