Go license/security scanning
We have automated security and license scanning for most of the dependencies we use at GitLab. Unfortunately, we have a blind spot when it comes to our golang based projects like workhose, gitaly, and runner.
While there are some open source tools which may help here, what complicates matters is we use different methods of pulling in dependencies across the different projects.
For example if we don't use go dep
, and directly vendor, the above won't help us.
Asks:
- Evaluate each of the go based projects to determine what dependency method they use
- In the short term, manually list the dependencies and their licenses. Check for blacklisted licenses and security issues.
- Establish path forward for incorporating these into our automated checks
Edited by Joshua Lambert