Go - Go Modules, Go Dep, Bazel

Debricked supports tracking Go dependencies via:

• Go Modules, using go.mod files

• Go Dep, using gopkg.lok files

• Bazel, using WORKSPACE files

Go Modules

We support tracking Go dependencies using the Go Modules dependency management system and its associated file go.mod.

For the fastest and most accurate results, a file containing the resolved dependency tree, .gomod.debricked.lock, has to be created prior to scanning.

This can be done using the High Performance Scans technology in our Debricked CLI. By running the resolve command, the CLI automatically detects all manifest files without the recommended go lock files and generates the files as needed.

It is also possible to generate the recommended file(s) manually by running go mod graph followed by go list -m all and storing the outputs separated by two new lines between the sections in gomod.debricked.lock.

printf "$(go mod graph)\n\n$(go list -mod=readonly -e -m all)" > gomod.debricked.lock

Every gomod.debricked.lock must be put in the same directory as the corresponding go.mod.

We also recommend running go mod tidy, which cleans up unused modules, before pushing the go.mod files, which makes the results of our service more accurate.

Bazel

We support Go projects using Bazel, scanning the WORKSPACE file format in addition to any Go file formats being used. Even though Bazel does not have native support for Go, it is possible to add support using Gazelle.

Go Dep

Go Dep and its associated file Gopkg.lock is deprecated and will not get any improvements present in other formats, such as Go Modules.

Supported file formats and features:

*This is a native lock file format. Native lock file formats are the fastest formats to scan.