Free Go Module Vulnerability Scanning with Visual Studio Code IDE
UPDATE:As of May 1, 2021 – GoCenter central repository has been sunset and all features will be deprecated. For more information on the sunsetting of the centers read thedeprecation blog post
If you’re a Golang developer using Visual Studio Code, keeping at-risk Go Modules out of your apps just got easier, and for free.
Today we’re announcing a new version of theJFrog extension for VS Code IDE, available for free download. This integration brings live vulnerability information about every public Go Module you’re using directly into your source editor from the rich metadata ofJFrog GoCenter. This means you can be aware of potential risks from your open-source Go Modules and make better choices, even before your first build.
The Go Modules Power of GoCenter
GoCenter is a publicGOPROXY for Go Modulesprovided by JFrog to the growing ranks of Golang developers as a free community service. Since its launch last year, GoCenter has grown into a comprehensive repository of around 700,000 immutable, versioned Go Modules for public use. Developers around the world use GoCenter as their GOPROXY togain control over Go dependenciesand tomake Golang builds faster.
GoCenter also empowers Golang developers by storing metadata about each Go Module, available through a browsable UI. Users can search GoCenter’s catalog, and view usage information and statistics on any module and version.
As Golang evolves, security concerns grow, so JFrog has made GoCenter a more security-focused central repository. GoCenter’s metadata now includesvulnerability information on every Go Module version, populated through thedeep recursive scanningof JFrog Xray.
DevSecOps To Go
VS Code has become the source editor of choice for many Golang coders, including some of our own developers at JFrog. It’s among severalJFrog integrations for popular IDEsprovided for customers of JFrog Xray, making the risks of open-source dependencies more visible to developers, and helping to shift-left security vigilance.
To help fulfill our mission of making software development and delivery faster, more secure, and more reliable, we’ve taken our VS Code extension to the next level. By drawing from the Go module vulnerabilities data available in GoCenter, VS Code users can benefit — even without a licensed instance of Xray.
Once the extension is installed, you can see all of this information in VS Code while hovering over the module in thego.modfile.
VS Code IDE doesn’t only show this information for your direct module dependencies. You can also see indirect (transitive) dependencies, in a hierarchical tree view.
You can jump from the module in thego.moddirectly to the tree view and do the same from the tree to the module definition in thego.mod.
You can also navigate directly into the GoCenter’s UI and see even more information about the module under the Security tab.
GOPROXY and Beyond
We hope you’ll like this new feature of theJFrog VS Code Extension, and that it helps show the value of using GoCenter as your GOPROXY. With such accelerating growth of the Go Module ecosystem, it becomes ever more important to have insight into the dependencies you use.
Once you experience the power of shifting left, you might also want to consider enabling the same control for theother languages you use in VS Code.You’re welcome to give JFrog Xray a free trial to see how it canreveal risks in many packageslike Maven, Gradle, npm, NuGet, RubyGems, and PHP Composer. Xray can also identify dependencies that don’t match your organization’s license policies.
我们正在努力创造更多的价值for the Go community, which we are proud to be part of. The extension is open source and GoCenter was built free for the community, so you’re welcome to join us and contributefeedbackto this project.
