DevToolbox

Auditing go.mod Dependencies for Security

Learn how to audit Go module dependencies for security vulnerabilities using govulncheck, version pinning, and go.mod analysis. Understand the role of go.sum in supply chain security.

Practical Scenarios

Detailed Explanation

Security Auditing of go.mod Dependencies

Go module security involves checking dependencies for known vulnerabilities, verifying checksums, and managing the software supply chain.

govulncheck

Go's official vulnerability checker:

go install golang.org/x/vuln/cmd/govulncheck@latest
govulncheck ./...

It checks your code against the Go Vulnerability Database and reports only vulnerabilities that affect code paths you actually use.

Reading go.mod for Security

When auditing go.mod:

  1. Check direct dependencies — these are your primary attack surface
  2. Review indirect dependencies — transitive deps can introduce vulnerabilities
  3. Look for old versions — outdated dependencies are more likely to have CVEs
  4. Check replace directives — replacements pointing to forks may not receive security patches
  5. Verify +incompatible modules — pre-module packages may have less rigorous version management

go.sum and Supply Chain Security

The go.sum file provides cryptographic checksums:

github.com/gin-gonic/gin v1.9.1 h1:4idEAncQnU5...
github.com/gin-gonic/gin v1.9.1/go.mod h1:RdlXhH...
  • Two entries per module: one for the source tree, one for go.mod
  • Checksums are verified by the Go checksum database (sum.golang.org)
  • Tampering with a published module is detectable

Version Pinning Strategy

require (
    // Pin to specific patch versions for security-critical deps
    golang.org/x/crypto v0.18.0
    golang.org/x/net    v0.20.0
)

Forcing Security Updates

When a transitive dependency has a vulnerability:

# Force upgrade of a specific indirect dependency
go get golang.org/x/crypto@v0.18.0

# Or use replace as a temporary measure
replace golang.org/x/crypto v0.17.0 => golang.org/x/crypto v0.18.0

GONOSUMCHECK and GONOSUMDB

For private modules that cannot be verified by the public checksum database:

GONOSUMCHECK=github.com/myorg/*
GONOSUMDB=github.com/myorg/*
GOPRIVATE=github.com/myorg/*

CI Security Pipeline

- name: Check vulnerabilities
  run: govulncheck ./...

- name: Verify checksums
  run: go mod verify

- name: Check for outdated deps
  run: go list -m -u all

Use Case

Security auditing of Go dependencies is a requirement in regulated industries and security-conscious organizations. Reading and understanding go.mod is the first step in dependency auditing. The formatter helps by clearly separating direct and indirect dependencies, making it easy to identify which modules are in the dependency tree. Combined with govulncheck, a well-formatted go.mod accelerates security reviews.

Try It — go.mod Formatter

Open full tool

Related Topics

Understanding Indirect Dependencies in go.mod

Dependencies

Basic go.mod File Structure

Basic Structure

Replace Directives in go.mod

Directives

Handling +incompatible Module Versions

Workspace