Skip to main content
Go or Golang is a software development programming language widely used by developers. Endor Labs supports scanning and monitoring of Go projects. Using Endor Labs, application security engineers and developers can:
  • Scan their software for potential security issues and violations of organizational policy.
  • Prioritize vulnerabilities in the context of their applications.
  • Understand the relationships between software components in their applications.

System specifications for deep scan

Before you proceed to run a deep scan, ensure that your system meets the following specification.
Project SizeProcessorMemory
Small projects4-core processor16 GB
Mid-size projects8-core processor32 GB
Large projects16-core processor64 GB

Software prerequisites

  • Make sure that you have Go 1.12 or higher versions.
  • Install Bazel version 5.x.x, 6.x.x, 7.x.x, 8.x.x, or 9.x.x if your project uses Bazel. Endor Labs supports Bzlmod with Bazel aspects. See Bazel for more information.
  • Make sure your repository includes one or more files with .go extension.

Build Go projects

You must build your Go projects before running the scan. Also verify that packages exist in the local package caches and that the go.mod file is well formed and available in the standard location. To ensure that your go.mod file is well formed, run the following command: 
go mod tidy
Run the following command to remove unnecessary dependencies and verify that all dependencies resolve without errors. 
go get ./

Scan Bazel projects

To scan Go projects that use Bazel, see Bazel for build instructions, supported rules, and scan commands. Endor Labs supports Bzlmod with Bazel aspects. See Bazel Aspects for more information.

Run a scan

Use the following options to scan your repositories. Perform the endorctl scan after building the projects.

Option 1 - Quick scan

Perform a quick scan to get quick visibility into your software composition. This scan won’t perform reachability analysis to help you prioritize vulnerabilities. 
endorctl scan --quick-scan
You can perform the scan from within the root directory of the Git project repository, and save the local results to a results.json file. The results and related analysis information are available on the Endor Labs user interface. 
endorctl scan --quick-scan -o json | tee /path/to/results.json
You can sign into the Endor Labs user interface, click the Projects on the left sidebar, and find your project to review its results.

Option 2 - Deep scan

Use the deep scan to perform dependency resolution, reachability analysis, and generate call graphs. You can do this after you complete the quick scan successfully. 
endorctl scan
Use the following flags to save the local results to a results.json file. The results and related analysis information are available on the Endor Labs user interface. 
endorctl scan -o json | tee /path/to/results.json
You can sign into the Endor Labs user interface, click the Projects on the left sidebar, and find your project to review its results.

Understand the scan process

Endor Labs resolves your Golang-based dependencies by leveraging built-in Go commands to replicate the way a package manager would install your dependencies. To discover package names for Go packages Endor Labs uses the command: 
GOMOD=off go list -e -mod readonly -json -m
To analyze the dependency graph of your package Endor Labs uses the command: 
GOMOD=off go list -e -deps -json -mod readonly all
To assess external dependencies, specifically third-party packages or libraries that your Go project relies on, Endor Labs uses the command: 
GOMOD=off go list -e -deps -json -mod vendor all
These commands allow us to assess packages’ unresolved dependencies, analyze the dependency tree, and resolve dependencies for your Go projects.

Go standard library vulnerability scanning

Endor Labs performs SCA for the Go standard library by adding the standard library as a dependency in the bill of materials (BOM). The Go version used for the standard library determines which standard library package Endor Labs matches for vulnerability checks.

Version resolution order

Endor Labs determines the Go version for standard library vulnerability scanning using the following precedence order.
  1. Use the system Go version By default, the scanner uses the version that go env GOVERSION reports in the scan environment. For example, if the host has Go 1.23.2 installed, the scanner uses 1.23.2 for scanning.
  2. Pin to a specific Go version: Set the ENDOR_SCAN_GO_VERSION environment variable to specify the Go version used for standard library vulnerability scanning. For example, setting ENDOR_SCAN_GO_VERSION to 1.23.4 ensures that the scanner uses Go 1.23.4 for standard library scanning. 
    export ENDOR_SCAN_GO_VERSION=1.23.4
endorctl scan
  3. Use the version from go.mod Set ENDOR_SCAN_USE_GOMOD_VERSION=true to instruct endorctl to use the version specified in the go directive of the module’s go.mod file instead of detecting the system Go version. 
    export ENDOR_SCAN_USE_GOMOD_VERSION=true
endorctl scan
    For example, if the go.mod file contains go 1.22 and the host system has Go 1.23 installed, the scanner uses Go 1.22 for vulnerability checks.
Fallback behaviorIf the scanner cannot detect the system Go version, it falls back to the version in the go directive in your module’s go.mod file.

Known limitations

Endor Labs creates go.mod files for you when projects do not have a go.mod file. This can lead to inconsistencies with the actual package created over time and across versions of the dependencies.

Troubleshoot errors

Here are a few error scenarios that you can check for and attempt to resolve them.
  • Host system check failure errors:
    • Go is not installed or not present in the PATH environment variable. Install Go and try again.
    • The installed version of Go is lower than 1.12. Install Go version 1.12 or higher and try again.
  • Resolved dependency errors:
    • A dependency version does not exist or cannot be found. The package may no longer exist in the repository.
    • If the go.mod file is not well-formed then dependency resolution may return errors. Run go mod tidy and try again.
  • Call graph errors: These errors often mean the project won’t build. Ensure any generated code is in place and verify that go build ./... runs successfully.