How to Scan Your Golang Build for Vulnerabilities

Golang (or Go, as it is commonly called) is a programming language that originated at Google in 2007.Go has become popular with developers over the past decade due largely to its reputation as a language that is easy-to-learn. It also offers the benefits of readable, well-structured code, and it features robust support for concurrency – meaning the ability to execute multiple parts of an application or process in parallel, which often boosts performance.

Go modules and packages

To help developers compile and distribute Go software, Go supports the concepts of both packages and modules. A Go package is a collection of related Go source code files. Multiple packages can be combined to create a Go module, which developers can use as a building-block within applications.

As with almost any type of software module or package system, Go packages and modules may contain security vulnerabilities, such as code weaknesses within source files or dependencies on vulnerable libraries. If insecure packages or modules are included in a Go application, the threats will spread to any computer that runs the insecure software.

As Go has grown in popularity, the security risks associated with Go packages and modules have grown with it, prompting platforms like GitHub to devote additional resources to securing Go modules.

Managing Go security vulnerabilities

There are two main categories of tools available for detecting and addressing Go security vulnerabilities.

1. Open source Go security scanners

The first consists of open source tools, such as gosec. These tools offer a convenient solution for quickly scanning Go code on the command line, but they are subject to some limitations:

  • For the most part, they only scan Go source code for vulnerabilities. They may not detect vulnerabilities associated with the way Go modules or packages are configured.
  • They may not automatically include dependencies when performing scanning.

Their ability to detect insecure source code is limited. They can identify coding patterns that are associated with security issues, such as the inclusion of passwords or other sensitive data directly within source code. But they don’t cover all types of security issues that may arise from source code, and they are not well suited to reveal deep security problems within source code.

  • They don’t usually offer native support for automated, continuous scanning. To achieve that, you’d need to integrate the tools with your CI/CD pipeline manually.
  • They only scan first-party source code; they don’t scan third-party modules. As a result, these tools serve a somewhat different purpose than commercial Go scanners like Xray, which can scan third-party modules and dependencies.

2. Commercial Go security scanning

In addition to open source tools, commercial vulnerability scanning solutions are available that support Go, such as JFrog Xray. Xray can comprehensively scan Go packages and modules no matter how they are structured — whether as Zip files, Docker images or any other format. In addition, Xray scans Go dependencies for vulnerabilities, which allows developers to detect and remediate security issues in any third-party module that a Go application includes.

Xray also provides impact analysis when it detects a vulnerability in a Go package or module. Impact analysis helps organizations assess how widespread a vulnerability is within the software they use, which in turn enables them to make informed decisions about which vulnerabilities to prioritize.

And, because Xray’s Go scanning features can be integrated with CI servers, Xray can provide automated, continuous Go scanning within a CI/CD pipeline. This ensures that Go packages and modules are scanned as soon as they are introduced to the pipeline, which maximizes the chances of detecting and remediating security issues before an application is deployed into production.