Securing Go modules made easy (and accurately!)

August 7, 2019 | in Product
| By Ariel ornstein

We are excited to share that starting today, developers can test and monitor their Go projects, which use modules, for open source vulnerabilities and get precise and accurate package-level alerts.

We are committed to helping developers secure their open source code, and we work hard to expand our ecosystem and to support additional languages and package managers constantly. Up until today, Snyk offered support for Go projects using dep or Go vendor as their package managers. Similarly, we wanted to also make sure our users could use Go modules, as its popularity is taking off,  in a secure way and with the most accurate results to verify that development is not being slowed down.

Package-level alerts for vulnerabilities in your Go modules projects 

With this new addition, you can now scan your Go projects using Snyk CLI (snyk test) to detect vulnerabilities.

Snyk uniquely calculates a fully structured dependency tree of the project, at the granular package level and not only based on the module used. This means, Snyk detects only the specific packages that are found to be vulnerable, and only alerts if those vulnerable packages are in use. As a result, Snyk’s alerts are more accurate, issuing fewer false positives and unnecessary alerts.

The following image displays a dependency tree of a Go module project

The dependency tree is compared against our proprietary vulnerability database which offers comprehensive data unique to Go. If we find a vulnerable package we’ll then point you to the exact package in our database, to provide more information about the package and the vulnerability.

Monitoring projects and keeping you secure

We ensure your projects are secure by continuously monitoring your Go modules projects and alerting when new relevant vulnerabilities are disclosed. In such cases, we point you to the exact vulnerable package. Our security team researches and discovers new vulnerabilities as they are added to our database, often times prior to public databases. 

How to get started?

Snyk is committed to making security tools accessible and easy to use for developers. Getting started and scanning your Go modules projects is as easy as installing our CLI, navigating into a folder containing the go.mod file and running snyk test or snyk monitor. 

You can read more about our CLI here and our Go support here.

Stay secure!