Snyk Code adds Go security scanning

Editor's note (January 10, 2022): Go support within Snyk Code is now GA.

Snyk Code was launched at the beginning of 2021, and since then it has come a long way in a short time. As a developer-first security tool, it offers an intuitive UI and CLI, embeds in popular IDEs, provides actionable fix recommendations, and scans with industry-leading, real-time speeds and high accuracy. On top of that, it's all backed by ML-driven algorithms that learn from the global developer community, growing its robust knowledge base exponentially.

And since its launch, we've been steadily adding more languages. Snyk Code already supports JavaScript, TypeScript, Java, Python, C#, PHP (beta), and now... drum roll please... Go support in beta!

Let's take a look at how we got Snyk Code's Go security scanning to beta and how you can start taking advantage of its capabilities.

Go's journey in Snyk Code

Typically, the process of adding a new language begins with adding a parser to the Snyk Code engine that generates an intermediate representation of the original code. The intermediate representation is language-independent and supports all the characteristics of modern multi-purpose languages. The next step is to run the machine learning supported process to generate a knowledge base of rules. Every language comes with a unique runtime or set of libraries and the engine learns what are the specific sources and sink functions.

As you can imagine, this is an iterative process, and as a result the knowledge base is exponentially growing by the day. At a certain point, when the feedback by our very early testers is that they benefit from seeing security issues formerly uncaught by other tools, we add the new knowledge base to production. We flag the rules with “beta” because we are not totally done, but we want to provide value as soon as possible so we can keep making them better. We then continue add new rules every day and results might not include everything yet but the findings will continuously grow. When our internal measurements and tests prove we reached the coverage and accuracy we strive for, the language support leaves beta and is fully supported.

And now this process is being used to add another new language: Go. The language itself is relatively young. but we've seen strong adoption over recent years. Go was designed to fill a gap. Languages offering strong performance control like C++ are perceived to be complex and cumbersome. But languages that are easy to understand and readable like Python seem to have lower overall performance. Go was designed to fill the gap with an eye on the modern environments — heavily networked and multi-core machines.

While Go as a programming language includes aspects that prevent some typical sources of bugs — like static typing or memory safety, plus the programming environment had certain tools like a linter from the very start — issues on a semantic level still exist. And that's where Snyk Code comes in.

Note: Generally, your app consists of open source dependencies as well as your own code. Snyk Open Source scans package manager configurations for Go Modules, dep or govendor and checks for vulnerable packages.

Running a Snyk Code scan on your Go project

One of the major benefits of Snyk Code is that it does not require any installation when you are using a source code management system like GitHub or GitLab. It must not even be your own code but you can scan open source repositories. It all starts with having a free account by signing up for a free Snyk account — no credit card required, all you need is a GitHub or GitLab account.

Next add a project, either one in your personal git account or by providing the path to a public repo. The scans then start automatically and even the largest repositories containing tens of thousands of files are done within minutes.

Opening the Code Analysis results will show the results of the scan in detail:

Note: As Go is in beta, results will not be as accurate as fully supported languages. Also, the results will differ on a daily basis due to our continuous updates.

Just like with our other languages, the IDE plugins for Visual Studio Code and JetBrains GoLand will also support Go security scanning from Snyk Code. And of course, the Snyk CLI also supports Go.

Help us get our Go security scanning out of beta faster by giving it a try and sending us feedback.