Go - Go Modules, Go Dep, Bazel

Debricked supports tracking Go dependencies through:

• Go Modules, using go.mod files

• Go Dep, using gopkg.lok files

• Bazel, using WORKSPACE files

Go Modules

Debricked supports tracking Go dependencies using the Go Modules dependency management system and its associated go.mod file. To achieve the fastest and most accurate results, it is necessary to create a file containing the resolved dependency tree, .gomod.debricked.lock, before scanning.

This can be done using the High Performance Scans technology in Debricked CLI. By executing the resolve command, the CLI automatically identifies all manifest files that lack the recommended go.lock files and generates them as needed.

It is possible to manually generate the recommended file(s) by running go mod graph followed by go list -m all, and storing the outputs separated by two new lines between the sections in the gomod.debricked.lock file.

printf "$(go mod graph)\n\n$(go list -mod=readonly -e -m all)" > gomod.debricked.lock

Every gomod.debricked.lock must be put in the same directory as the corresponding go.mod.

Debricked recommends running go mod tidy to clean up unused modules before pushing the go.mod files, ensuring more accurate service results.

Bazel

Debricked supports Go projects that utilize Bazel, scanning the WORKSPACE file format alongside any Go file formats in use. Although Bazel does not have native support for Go, support can be added using Gazelle.

Go Dep

Go Dep and its associated file Gopkg.lock is deprecated and will not get any improvements present in other formats, such as Go Modules.

Supported file formats and features

*This is a native lock file format. Native lock file formats are the fastest formats to scan.