Go

Introduction

JFrog Xray provides security and compliance analysis for Go applications throughout the software development lifecycle. This page describes the supported scan contexts, capabilities, and dependency analysis available for Go.

Capabilities

Capability	Source Code Scanning	Binary Scanning
Vulnerability Matching (CVEs)	✅	✅
License Detection	✅	✅
Malicious Package Detection	✅	❌
Operational Risk	❌	❌
Smart Remediation	🔜	🔜

Source code scanning analyzes your project's dependency manifest files to identify components and their vulnerabilities. This is used by JFrog CLI (jf audit), Frogbot, IDE integrations, and CI pipelines.

Supported Files

Package Manager	Supported Files
Go Modules	`go.mod`, `go.sum` (required)

Dependency Graph

Package Manager	Dependency Graph
Go Modules	⚠️ Flat Depenedency list

Additional Information

Go source code scanning requires Go installed in your environment. The go.sum file must be present for accurate dependency scanning. Run go mod tidy to ensure all dependencies are correctly listed.