Go

Analyze Go projects with FOSSA via Go Modules, Dep, Govendor, Gopkg, or Glide, through Quick Import or the FOSSA CLI.

3 min readUpdated Jul 9, 2026

Overview

FOSSA supports Go codebases through Go Modules, Dep, Govendor, Gopkg, and Glide. You can analyze a project two ways: Quick Import in the web app, or the FOSSA CLI.

Historically, the Go build-tool ecosystem has been very fragmented: tools like Dep, Glide, and Govendor each tried to address build reproducibility, versioning, and vendoring of dependencies. As of Go 1.11, Go has first-class support for modules, which solves the versioning and build-reproducibility problems so well that the other tooling has largely gone into maintenance mode, with the notable exception of Dep. As such, Go analysis primarily targets Go 1.11+ modules and Dep, with Glide support included because it is still commonly used.

Tool support

Tool
Go modules
Dep
Govendor
Gopkg
Glide

How Quick Import works

When Go code is imported through the web app, FOSSA inspects the supported manifest and lockfiles in your repository and resolves their dependencies for analysis.

Note

If a Go dependency refers to a Git repository, it may be displayed as a Git project in FOSSA. When that happens, FOSSA may show the commit hash as the version and the Git repository URL as the package name.

Analyzing with the CLI

Install the latest release of fossa-cli:

Shell
curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh | bash

Then run fossa analyze from your repository's root directory to analyze your Go project.

The CLI selects a strategy per project. Most strategies (except gomod, where it would be redundant since golist supersedes it) use go list -json all to hydrate edges and transitive dependencies: package imports are recursively traversed, ignoring Standard (system) packages. go list behaves slightly differently depending on context, in a Go modules project, packages can carry a Module field with a pinned Version (otherwise the version is unspecified), and go list includes vendored packages in both modules and non-modules projects.

Analysis strategies

StrategyDirect DepsTransitive DepsEdgesContainer Scanning
golist⚠️
gomod⚠️
gopkglock⚠️
gopkgtoml⚠️⚠️
glide
  • ✅, Supported
  • ⚠️, Partially supported (see the linked strategy reference for details)
  • ❌, Not supported

Authenticating to private registries

If you use a private Go module proxy, configure FOSSA so it can access your modules during analysis.

  1. 1

    Open Go language settings

    Go to Account Settings → Languages → Go (https://app.fossa.com/account/settings/languages/go).

  2. 2

    Add your proxy

    Under Private Proxies, add the proxy URL and, if required, the username and password FOSSA should use to reach it, then save.

Package data

FOSSA resolves Go dependencies from the supported manifest and lockfiles. If a Go dependency refers to a Git repository, it may be reported as a Git project, showing the commit hash as the version and the Git repository URL as the package name.

© 2026 FOSSA, Inc.support@fossa.com