Go Dep Audit

Go Dep Audit Logo

Overview

Go Dep Audit brings granular dependency governance to the Go ecosystem. While official tools focus on vulnerabilities, this tool allows teams to enforce policies regarding license types, module age, and direct vs indirect dependencies.

The Status Quo

The Go ecosystem has great tooling (govulncheck), but compliance teams need more than just vulnerability scans. They need to know: "Are we using any AGPL code?" or "Are we depending on a library that hasn't been updated in 5 years?". Answering these questions usually requires manual inspection of go.mod files.

Market Proposition

Policy-as-code for Go dependencies.

  • License Whitelisting: Define allowed licenses (e.g., MIT, Apache-2.0) and fail the build if a dependency violates it.
  • Staleness Checks: Warn about dependencies that are unmaintained.
  • JSON Output: Easy integration with other dashboard tools.

Usage

# Install
go install github.com/emorilebo/go_dep_audit@latest

# Run scan
go-dep-audit run ./...

# Check licenses only
go-dep-audit license --allow "MIT,Apache-2.0"

Hashtags

#GoLang #GolangSecurity #DevOps #Compliance #OpenSource