Debricked supports tracking Go dependencies via:
-
Go Modules, using go.mod files
-
Go Dep, using gopkg.lok files
-
Bazel, using WORKSPACE files
Go Modules
We support tracking Go dependencies using the Go Modules dependency management system and its associated file go.mod.
For the fastest and most accurate results, a file containing the resolved dependency tree, .debricked-go-dependencies.txt, has to be created prior to scanning.
This can be done by running go mod graph followed by go list -m all and storing the outputs separated by two new lines between the sections in .debricked-go-dependencies.txt.
printf "$(go mod graph)\n\n$(go list -mod=readonly -e -m all)" > .debricked-go-dependencies.txt
Every .debricked-go-dependencies.txt must be put in the same directory as the corresponding go.mod. Check out our Go CI templates to learn how to set it up.
We also recommend running go mod tidy, which cleans up unused modules, before pushing the go.mod files, which makes the results of our service more accurate.
Bazel
We support Go projects using Bazel, scanning the WORKSPACE file format in addition to any Go file formats being used. Even though Bazel does not have native support for Go, it is possible to add support using Gazelle.
Go Dep
Go Dep and its associated file Gopkg.lock is deprecated and will not get any improvements present in other formats, such as Go Modules.
Supported file formats and features:
| Language | Package Manager | Supported File Formats | Root dependencies | Indirect dependencies | Dependency trees | Security Scanning | License Scanning | Root Fix |
| Go | WORKSPACE | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| go.mod | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| gopkg.lock | ✓ | ✓ | ✓ |
Have a look at the overview of all supported languages.