Skip to main content
Skip table of contents

Configuring the Unified Agent for Go

The following article includes best practices and configuration recommendations when using the Unified Agent (UA) to scan Go projects.

Best Practices

Before scanning a Go project, ensure the following for the most accurate results:

  1. You are using a supported Go package manager (see list below).

  2. The project can be built successfully on the machine where you are running the scan.

  3. One of the following is true:

    1. The dependency file and 'vendor' folder are available in the project, OR

    2. The go.collectDependenciesAtRuntime configuration parameter is set to true and the relevant dependency manager is installed.

Additionally, when using Go Modules, ensure that:

  1. The environment variable GO111MODULE is set appropriately. When your project folder is under the GOPATH, make sure to set GO111MODULE=on.

  2. You have a 'go.mod' or 'modules.txt' file as well as the source code for your project.

  3. go.resolveDependencies=false and go.modules.resolveDependencies=true in your UA config file.

Supported Package Managers

The Unified Agent provides support for a hierarchy tree for the following packages:

  • glide

  • gopm

  • godep

  • dep

  • govendor

  • vndr

  • modules (Go Modules)

For the other package managers (gogradle, vgo), the Unified Agent will show both direct and transitive dependencies as a flat structure.

Configuring Unified Agent Parameters

For all Go package managers other than Modules:

  • Set go.resolveDependencies=true

  • Set go.dependencyManager to the package manager in use

Note: if your team uses more than one package manager for Go, you can leave go.dependencyManager unmodified. In this case, the default behavior is to attempt dependency resolution with each supported Go package manager. To improve the efficiency of your scan, set this parameter to the specific package manager you are using for your Go projects.

Optional parameters:

  • go.collectDependenciesAtRuntime - Set to true if your project does not already have a 'vendor' folder. Make sure to run govendor fetch on the relevant project to download its dependencies first, otherwise the Unified Agent will return direct and transitive dependencies as a flat structure.

  • go.ignoreSourceFiles - Set to true if you wish to only include package dependencies, not source files. When set to true go source files will be ignored in the scan.

  • go.glide.ignoreTestPackages - Set to true if you wish to ignore test packages defined in the 'testImport' section of the 'glide.yaml' file.

  • go.gogradle.enableTaskAlias  - Set to true when using gogradle dependency manager and the gradle argument (in 'gradle.properties') includes gogradle.alias=true

Go Modules Specific Parameters

Go Modules has its own parameters for use with the Unified Agent. This version of resolution is required if you are using the Modules package manager.

  • go.modules.resolveDependencies - Set to true if this project only uses the Go Modules package manager. In this case, you must also set go.resolveDependencies=false.

  • go.modules.ignoreSourceFiles - Set to true if you wish to exclude Go source files from your scans.

  • go.modules.removeDuplicateDependencies - Set to true if you wish to remove duplicate dependencies from your scans.

  • go.modules.includeTestDependencies - Set to true if you wish to include test dependencies in your scans.

Additional Resources:

You can find more information about scanning Go projects in the following documents:

Unified Agent - documentation on how to use the Unified Agent

Go Integration- examples of Go results

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.