Free Go Module Vulnerability Scanning with Visual Studio Code IDE

Looking for vulnerabilities in Go modules with VS Code IDE and JFrog X-ray

 

UPDATE: As of May 1, 2021 – GoCenter central repository has been sunset and all features will be deprecated. For more information on the sunsetting of the centers read the deprecation blog post

 

If you’re a Golang developer using Visual Studio Code, keeping at-risk Go Modules out of your apps just got easier, and for free.

Today we’re announcing a new version of the JFrog extension for VS Code IDE, available for free download. This integration brings live vulnerability information about every public Go Module you’re using directly into your source editor from the rich metadata of JFrog GoCenter. This means you can be aware of potential risks from your open-source Go Modules and make better choices, even before your first build.

The Go Modules Power of GoCenter

GoCenter is a public GOPROXY for Go Modules provided by JFrog to the growing ranks of Golang developers as a free community service. Since its launch last year, GoCenter has grown into a comprehensive repository of around 700,000 immutable, versioned Go Modules for public use. Developers around the world use GoCenter as their GOPROXY to gain control over Go dependencies and to make Golang builds faster.

GoCenter also empowers Golang developers by storing metadata about each Go Module, available through a browsable UI. Users can search GoCenter’s catalog, and view usage information and statistics on any module and version.

As Golang evolves, security concerns grow, so JFrog has made GoCenter a more  security-focused central repository. GoCenter’s metadata now includes vulnerability information on every Go Module version, populated through the deep recursive scanning of JFrog Xray. 

DevSecOps To Go

VS Code has become the source editor of choice for many Golang coders, including some of our own developers at JFrog. It’s among several JFrog integrations for popular IDEs provided for customers of JFrog Xray, making the risks of open-source dependencies more visible to developers, and helping to shift-left security vigilance.

To help fulfill our mission of making software development and delivery faster, more secure, and more reliable, we’ve taken our VS Code extension to the next level. By drawing from the Go module vulnerabilities data available in GoCenter, VS Code users can benefit — even without a licensed instance of Xray.

Once the extension is installed, you can see all of this information in VS Code while hovering over the module in the go.mod file.

VS Code IDE doesn’t only show this information for your direct module dependencies. You can also see indirect (transitive) dependencies, in a hierarchical tree view.

You can jump from the module in the go.mod directly to the tree view and do the same from the tree to the module definition in the go.mod

You can also navigate directly into the GoCenter’s UI and see even more information about the module under the Security tab.

GOPROXY and Beyond

We hope you’ll like this new feature of the JFrog VS Code Extension, and that it helps show the value of using GoCenter as your GOPROXY. With such accelerating growth of the Go Module ecosystem, it becomes ever more important to have insight into the dependencies you use.

Once you experience the power of shifting left, you might also want to consider enabling the same control for the other languages you use in VS Code.You’re welcome to give JFrog Xray a free trial to see how it can reveal risks in many packages like Maven, Gradle, npm, NuGet, RubyGems, and PHP Composer. Xray can also identify dependencies that don’t match your organization’s license policies.

We are working very hard to create even more value for the Go community, which we are proud to be part of. The extension is open source and GoCenter was built free for the community, so you’re welcome to join us and contribute feedback to this project.