Go
This article shows you how to analyze your applications written in Go using preZero. It assumes that you have already set up and authenticated with Qwiet.
Requirements
See Prerequisites for more information.
Analyzing your Go application
Qwiet offers a sample application that you can use to run and test preZero. It also includes a functioning configuration file to demonstrate how you can leverage GitHub Actions to automate code analysis whenever you open a new Pull Request (PR).
To analyze your Go application, run:
sl analyze --app <name> --go <path>
| Parameter | Description |
|---|---|
--app <name> | The name of the application to be analyzed (maximum length: 100 characters) |
--go | The flag identifying the application's language |
<path> | The path to your project. If you're executing sl analyze in the package's directory, you can pass in shorthands like .. You can also use /<absolute-path-of-directory-of-package> or ./... (current project and sub-projects). |
See the CLI reference for additional sl analyze options.
We strongly recommend against passing in paths to individual
.gofiles when runningsl analyze. Doing so results in Qwiet analyzing only that file and none of the files in the same project on which it depends.We also discourage you from passing in paths like
...,all,std, and./vendor. Those will include dependencies in the scan that, in most cases, you do not want scanned.See Package lists and patterns for more information.
Scanning for open-source vulnerabilities
For SCA, Qwiet looks for information about open-source packages in the project path you provided when running sl analyze. Depending on how your project repo is structured, you may also need to provide an additional configuration option so that Qwiet preZero can identify where your dependencies are located (for example, if you're running sl analyze for a package other than ., please use --oss-project-dir <project-dir> to specify the location of the <project-dir> directory where Gopkg.lock, go.mod or go.sum is located).
Sample usage
go build
sl analyze --app shiftleft-go-example --go .
Additional parameters
The analysis accepts additional parameters after a double hyphen --.
| Additional parameter | Description |
|---|---|
--exclude | Exclude packages by exact match on full package path |
--exclude-regex | Exclude packages with paths matching the given regular expression |
Such parameters, if valid, are passed directly to the Go analyzer.
Sample usage of additional parameters
To ignore a specific package like `github.com/SomeOrganization/a-package` from the analysis:sl analyze --app <name> --go [<path>] -- --exclude 'github.com/SomeOrganization/a-package'
To ignore all packages under github.com/SomeOrganization:
sl analyze --app <name> --go [<path>] -- --exclude-regex '^github.com/SomeOrganization/.*$'
Note that, depending on your environment, the regular expressions must be properly quoted and/or escaped.
Using cgo
If your application uses cgo and you're running into problems during analysis, please consider disabling it first for code analysis using the standard CGO_ENABLED switch like so:
CGO_ENABLED=0 sl analyze --app <name> --go <package>
Tagging results with your branch name
To include the branch name in your preZero results, allowing you to distinguish one set of results from another, add the following to your invocation of Qwiet:
sl analyze --tag branch=$(git symbolic-ref --short HEAD)
If you're working in a GitHub environment (e.g., GitHub Actions), you can also use --tag branch=${{ github.head_ref }} to populate your branch name.
If you don't provide a branch name, but Qwiet detects one available in your environment, it will use that name.
Troubleshooting
If you have any issues scanning your project, please see our general troubleshooting page, as well as our Go-specific suggestions that follow.
Build-related errors
Most of the errors seen regarding the analysis of Go applications involve an environment that had not been set up correctly. Ensure that the environment on which you run Qwiet mirrors your development environment as closely as possible.
Try building the app. If the application uses a Makefile, run:
make buildOtherwise, use:
go build ./...For applications that involve a complex build process or Docker, review the Dockerfile to ensure that it was defined correctly.
If the Go application includes private modules that are available in a non-GitHub environment, such as GitLab or AWS CodeCommit, ensure the authentication keys are set up and the application builds cleanly before performing code analysis.