Support go in Dependency Scanning (alpha* because the scanner viable but limited results/findings)
Problem to solve
Users of Go, including ourselves, would like to monitor our dependencies (specific libraries) for vulnerabilities.
Note: this implementation will be only for projects that support go modules. Detection of whether project is supported will be contingent on a
go.sum file being present.
- Sasha (Software Developer)
- Devon (DevOps Engineer)
- Sidney (Systems Administrator)
- Sam (Security Analyst)
Personas are described at https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/
Add MVC Dependency Scanning support for Go language, get feedback (dogfooding, and customers) as we work to ingest more go findings).
To be clear - NO feature flag, and should be available to all dot-com and self hosted users - this is only alpha due to the volume of findable results not due to the scanner and we should get people using the scanner (but in our docs indicate it has a low amount of vulns in the db behind it and we're working to increase that and recommend people start running it as soon as possible and will automatically get more findings with each release).
add go.sum parser to
go-modulestest project with DS support gitlab-org/security-products/tests/go-modules!9 (merged)
update ci template for
dependency-scanningto scan go projects !22712 (merged)
- update docs to document go support (note: alpha) !22806 (merged)
Permissions and Security
no changes, same as current dependency scanning
BE CLEAR ITS ALPHA & WE NEED FEEDBACK
- Create test project
What does success look like, and how can we measure that?
Users will enable dependency scanning for Go projects.