> ## Documentation Index > Fetch the complete documentation index at: https://docs.endorlabs.com/llms.txt > Use this file to discover all available pages before exploring further. # Go > Learn how to implement Endor Labs in repositories with Go packages. Go or Golang is a software development programming language widely used by developers. Endor Labs supports scanning and monitoring of Go projects. Using Endor Labs, application security engineers and developers can: * Scan their software for potential security issues and violations of organizational policy. * Prioritize vulnerabilities in the context of their applications. * Understand the relationships between software components in their applications. ## System specifications for deep scan Before you proceed to run a deep scan, ensure that your system meets the following specification. | Project Size | Processor | Memory | | ----------------- | ----------------- | ------ | | Small projects | 4-core processor | 16 GB | | Mid-size projects | 8-core processor | 32 GB | | Large projects | 16-core processor | 64 GB | ## Software prerequisites * Make sure that you have Go 1.12 or higher versions. * Install Bazel version `5.x.x`, `6.x.x`, `7.x.x`, `8.x.x`, or `9.x.x` if your project uses Bazel. Endor Labs supports Bzlmod with Bazel aspects. See [Bazel](/scan/bazel) for more information. * Make sure your repository includes one or more files with `.go` extension. ## Build Go projects You must build your Go projects before running the scan. Also verify that packages exist in the local package caches and that the *go.mod* file is well formed and available in the standard location. To ensure that your go.mod file is well formed, run the following command: ```bash theme={null} go mod tidy ``` Run the following command to remove unnecessary dependencies and verify that all dependencies resolve without errors. ```bash theme={null} go get ./ ``` ## Scan Bazel projects To scan Go projects that use Bazel, see [Bazel](/scan/bazel) for build instructions, supported rules, and scan commands. Endor Labs supports Bzlmod with Bazel aspects. See [Bazel Aspects](/scan/bazel/bazel-aspects) for more information. ## Run a scan Use the following options to scan your repositories. Perform the endorctl scan after building the projects. ### Option 1 - Quick scan Perform a quick scan to get quick visibility into your software composition. This scan won't perform reachability analysis to help you prioritize vulnerabilities. ```bash theme={null} endorctl scan --quick-scan ``` You can perform the scan from within the root directory of the Git project repository, and save the local results to a *results.json* file. The results and related analysis information are available on the Endor Labs user interface. ```bash theme={null} endorctl scan --quick-scan -o json | tee /path/to/results.json ``` You can sign into the [Endor Labs user interface](https://app.endorlabs.com), click the **Projects** on the left sidebar, and find your project to review its results. ### Option 2 - Deep scan Use the deep scan to perform dependency resolution, reachability analysis, and generate call graphs. You can do this after you complete the quick scan successfully. ```bash theme={null} endorctl scan ``` Use the following flags to save the local results to a *results.json* file. The results and related analysis information are available on the Endor Labs user interface. ```bash theme={null} endorctl scan -o json | tee /path/to/results.json ``` You can sign into the [Endor Labs user interface](https://app.endorlabs.com), click the **Projects** on the left sidebar, and find your project to review its results. ## Understand the scan process Endor Labs resolves your Golang-based dependencies by leveraging built-in Go commands to replicate the way a package manager would install your dependencies. To discover package names for Go packages Endor Labs uses the command: ```bash theme={null} GOMOD=off go list -e -mod readonly -json -m ``` To analyze the dependency graph of your package Endor Labs uses the command: ```bash theme={null} GOMOD=off go list -e -deps -json -mod readonly all ``` To assess external dependencies, specifically third-party packages or libraries that your Go project relies on, Endor Labs uses the command: ```bash theme={null} GOMOD=off go list -e -deps -json -mod vendor all ``` These commands allow us to assess packages' unresolved dependencies, analyze the dependency tree, and resolve dependencies for your Go projects. ## Go standard library vulnerability scanning Endor Labs performs SCA for the Go standard library by adding the standard library as a dependency in the bill of materials (BOM). The Go version used for the standard library determines which standard library package Endor Labs matches for vulnerability checks. ### Version resolution order Endor Labs determines the Go version for standard library vulnerability scanning using the following precedence order. 1. **Use the system Go version** By default, the scanner uses the version that `go env GOVERSION` reports in the scan environment. For example, if the host has Go 1.23.2 installed, the scanner uses 1.23.2 for scanning. 2. **Pin to a specific Go version**: Set the `ENDOR_SCAN_GO_VERSION` environment variable to specify the Go version used for standard library vulnerability scanning. For example, setting `ENDOR_SCAN_GO_VERSION` to `1.23.4` ensures that the scanner uses Go 1.23.4 for standard library scanning. ```bash theme={null} export ENDOR_SCAN_GO_VERSION=1.23.4 endorctl scan ``` 3. **Use the version from `go.mod`** Set `ENDOR_SCAN_USE_GOMOD_VERSION=true` to instruct endorctl to use the version specified in the `go` directive of the module's `go.mod` file instead of detecting the system Go version. ```bash theme={null} export ENDOR_SCAN_USE_GOMOD_VERSION=true endorctl scan ``` For example, if the go.mod file contains go 1.22 and the host system has Go 1.23 installed, the scanner uses Go 1.22 for vulnerability checks. **Fallback behavior** If the scanner cannot detect the system Go version, it falls back to the version in the `go` directive in your module’s `go.mod` file. ## Known limitations Endor Labs creates `go.mod` files for you when projects do not have a `go.mod` file. This can lead to inconsistencies with the actual package created over time and across versions of the dependencies. ## Troubleshoot errors Here are a few error scenarios that you can check for and attempt to resolve them. * **Host system check failure errors**: * Go is not installed or not present in the PATH environment variable. Install Go and try again. * The installed version of Go is lower than 1.12. Install Go version 1.12 or higher and try again. * **Resolved dependency errors**: * A dependency version does not exist or cannot be found. The package may no longer exist in the repository. * If the go.mod file is not well-formed then dependency resolution may return errors. Run `go mod tidy` and try again. * **Call graph errors**: These errors often mean the project won't build. Ensure any generated code is in place and verify that `go build ./...` runs successfully.