Following the recent announcement of the completion of a $20 million Series A round of financing, the open source code scanning tool Socket announced that it has added support for the Go language; previously it only supported JavaScript and Python languages.
"Over the past few months, we've observed an increase in supply chain attacks targeting Golang. Realizing this looming threat, we knew it was time to bring Socket's proven proactive defenses to Go . "
Socket also describes the challenges faced in adding Go support:
- Custom dependency management: Unlike npm or pip with centralized repositories, Go's decentralized approach and its VCS-based dependency fetching can be harder to monitor. Tools that use the GOPROXY protocol as a crutch will miss the latest version published to the version control system, and these are the packages most likely to launch a supply chain attack.
- No lockfile:
go.sum
The file is not a lockfile, but Go's last line of defense against hijacked version markers in VCS repositories and module proxies. While it is an important part of keeping the Go ecosystem secure, it alone cannot prevent dangerous code in Go modules. - Dynamic Versioning: Pseudo-versioning of Go modules provides untagged commit-based versioning, adding another layer of complexity to tracking dependencies.
- Transitive dependencies: Monitoring indirect dependencies requires deep knowledge of files and minimal version selection. Security tools need to understand the potential vulnerabilities in Go's module resolution scheme and the dangers introduced through transitive dependencies. As seen in the npm ecosystem, confusion and security holes often arise when security tools fail to properly resolve dependencies used.
go.mod
It is currently offering beta features and functionality in the "early access" phase to all customers. Key features include:
- Files are fully analyzed
go.mod
andgo.sum
verified against checksums - Supports detection of known vulnerabilities in the entire build list of dependencies for any given project or package
- Monitor direct and indirect dependencies
- Compatibility checks for module substitutions and exclusions
- Package Explorer and Socket Site Search
- List Go issues in Socket reports
In the coming weeks, expect to see additional integrations with Socket for GitHub and Socket for VSCode, enhanced Go module support, improved AI-driven Go issue detection, and zero-day vulnerability monitoring.
It is worth mentioning that, in addition to adding support for the Go ecosystem. Socket also announced a browser extension for checking the safety of open source packages before downloading them, currently available for Chrome, Edge, Brave, and any other Chromium-based browser, as well as Firefox ; Code repositories across your organization to find any dependencies at any time.