Skip to main content


This article shows you how to analyze your applications written in Go using preZero. It assumes that you have already set up and authenticated with Qwiet.


See Prerequisites for more information.

Analyzing your Go application


Qwiet offers a sample application that you can use to run and test preZero. It also includes a functioning configuration file to demonstrate how you can leverage GitHub Actions to automate code analysis whenever you open a new Pull Request (PR).

To analyze your Go application, run:

sl analyze --app <name> --go <path>
--app <name>The name of the application to be analyzed (maximum length: 100 characters)
--goThe flag identifying the application's language
<path>The path to your project. If you're executing sl analyze in the package's directory, you can pass in shorthands like .. You can also use /<absolute-path-of-directory-of-package> or ./... (current project and sub-projects).

See the CLI reference for additional sl analyze options.

We strongly recommend against passing in paths to individual .go files when running sl analyze. Doing so results in Qwiet analyzing only that file and none of the files in the same project on which it depends.

We also discourage you from passing in paths like ..., all, std, and ./vendor. Those will include dependencies in the scan that, in most cases, you do not want scanned.

See Package lists and patterns for more information.

Scanning for open-source vulnerabilities

For SCA, Qwiet looks for information about open-source packages in the project path you provided when running sl analyze. Depending on how your project repo is structured, you may also need to provide an additional configuration option so that Qwiet preZero can identify where your dependencies are located (for example, if you're running sl analyze for a package other than ., please use --oss-project-dir <project-dir> to specify the location of the <project-dir> directory where Gopkg.lock, go.mod or go.sum is located).

Sample usage

go build
sl analyze --app shiftleft-go-example --go .

Additional parameters

The analysis accepts additional parameters after a double hyphen --.

Additional parameterDescription
--excludeExclude packages by exact match on full package path
--exclude-regexExclude packages with paths matching the given regular expression

Such parameters, if valid, are passed directly to the Go analyzer.

Sample usage of additional parameters

To ignore a specific package like `` from the analysis:
sl analyze --app <name> --go [<path>] -- --exclude ''

To ignore all packages under

sl analyze --app <name> --go [<path>] -- --exclude-regex '^*$'

Note that, depending on your environment, the regular expressions must be properly quoted and/or escaped.

Using cgo

If your application uses cgo and you're running into problems during analysis, please consider disabling it first for code analysis using the standard CGO_ENABLED switch like so:

CGO_ENABLED=0 sl analyze --app <name> --go <package>

Tagging results with your branch name

To include the branch name in your preZero results, allowing you to distinguish one set of results from another, add the following to your invocation of Qwiet:

sl analyze --tag branch=$(git symbolic-ref --short HEAD)

If you're working in a GitHub environment (e.g., GitHub Actions), you can also use --tag branch=${{ github.head_ref }} to populate your branch name.

If you don't provide a branch name, but Qwiet detects one available in your environment, it will use that name.


If you have any issues scanning your project, please see our general troubleshooting page, as well as our Go-specific suggestions that follow.

  • Most of the errors seen regarding the analysis of Go applications involve an environment that had not been set up correctly. Ensure that the environment on which you run Qwiet mirrors your development environment as closely as possible.

  • Try building the app. If the application uses a Makefile, run:

    make build

    Otherwise, use:

    go build ./...
  • For applications that involve a complex build process or Docker, review the Dockerfile to ensure that it was defined correctly.

  • If the Go application includes private modules that are available in a non-GitHub environment, such as GitLab or AWS CodeCommit, ensure the authentication keys are set up and the application builds cleanly before performing code analysis.