{"id":17063,"library":"snyk-go-plugin","title":"Snyk Golang CLI Plugin","description":"The `snyk-go-plugin` package serves as a crucial plugin for the Snyk CLI, enabling it to detect and report known vulnerabilities within Golang projects. It specifically supports projects utilizing `dep` (via `Gopkg.lock`) or `govendor` (via `vendor/vendor.json`) for dependency management, as well as `go.mod` projects. The current stable version is 2.1.1, with releases occurring frequently, often monthly or bi-monthly, and sometimes more often for critical bug fixes. Its primary differentiator is its integration with the broader Snyk security platform, providing automated vulnerability scanning and remediation advice for Go applications, unlike standalone static analysis tools. It ships with TypeScript types, indicating strong support for modern JavaScript and TypeScript development workflows, and requires Node.js version 20 or higher.","status":"active","version":"2.1.1","language":"javascript","source_language":"en","source_url":"https://github.com/snyk/snyk-go-plugin","tags":["javascript","typescript"],"install":[{"cmd":"npm install snyk-go-plugin","lang":"bash","label":"npm"},{"cmd":"yarn add snyk-go-plugin","lang":"bash","label":"yarn"},{"cmd":"pnpm add snyk-go-plugin","lang":"bash","label":"pnpm"}],"dependencies":[{"reason":"Internal dependency used for dependency graph generation, frequently updated.","package":"@snyk/dep-graph","optional":false}],"imports":[{"note":"The `inspect` function is the primary API for programmatically scanning Go projects. The package ships with TypeScript types.","wrong":"const inspect = require('snyk-go-plugin').inspect;","symbol":"inspect","correct":"import { inspect } from 'snyk-go-plugin';"},{"note":"Type import for configuration options when calling the `inspect` function. Essential for TypeScript users.","symbol":"InspectOptions","correct":"import type { InspectOptions } from 'snyk-go-plugin';"}],"quickstart":{"code":"import { inspect } from 'snyk-go-plugin';\nimport * as path from 'path';\n\nasync function scanGoProject(projectDir: string) {\n  try {\n    console.log(`Scanning Go project in: ${projectDir}`);\n    // The 'go.mod' file is often used as the manifest file, or Gopkg.lock/vendor/vendor.json\n    const result = await inspect(\n      projectDir,\n      'go.mod',\n      { \n        // Optionally disable PackageURL generation if not needed\n        configuration: { includePackageUrls: true },\n        // Other options can be passed here, e.g., debug: true\n      }\n    );\n    console.log('Snyk Go Plugin inspection result:');\n    console.dir(result, { depth: null });\n    if (result.package.dependencies) {\n        console.log(`Found ${Object.keys(result.package.dependencies).length} direct dependencies.`);\n    }\n  } catch (error) {\n    console.error('Error during Snyk Go Plugin inspection:', error);\n    process.exit(1);\n  }\n}\n\n// Example usage: scan the current directory as a Go project\nscanGoProject(process.cwd());","lang":"typescript","description":"This quickstart demonstrates how to use the `inspect` function to programmatically scan a Go project's dependencies and output the results, including how to configure options like PackageURL generation."},"warnings":[{"fix":"If you do not wish to generate PackageURLs, you must explicitly disable this functionality by passing `{ configuration: { includePackageUrls: false } }` to the `inspect` function. Example: `inspect(cwd, 'go.mod', { configuration: { includePackageUrls: false } })`.","message":"The `inspect` function now generates PackageURLs (purl) by default. This changes the structure of the output object, adding a 'purl' field to package objects.","severity":"breaking","affected_versions":">=2.0.0"},{"fix":"For end-user vulnerability scanning, ensure the Snyk CLI is installed globally (`npm install -g snyk`) and use it directly. This plugin is for integrating Snyk's Go dependency resolution into custom tools or the Snyk CLI itself.","message":"This package is a plugin designed to be used with the Snyk CLI tool, not as a standalone application for direct vulnerability scanning. While it provides a programmatic API, its primary context is within the Snyk ecosystem.","severity":"gotcha","affected_versions":">=1.0.0"},{"fix":"Ensure your `go.mod` file and local `replace` directives are correctly configured and resolvable within the project context. Recent versions have improved handling, but edge cases may still exist. Verify the dependency graph output from the plugin.","message":"The plugin relies on Go's module system. Projects with complex `replace` directives in `go.mod` (especially those pointing to local paths) may lead to incorrect dependency graphs.","severity":"gotcha","affected_versions":">=1.0.0"},{"fix":"Upgrade your Node.js environment to version 20 or newer. Use `nvm` or a similar tool to manage Node.js versions if you need to switch between different versions.","message":"The package requires Node.js version 20 or higher. Running it with older Node.js versions will result in execution errors.","severity":"gotcha","affected_versions":">=2.0.0"}],"env_vars":null,"last_verified":"2026-04-22T00:00:00.000Z","next_check":"2026-07-21T00:00:00.000Z","problems":[{"fix":"Ensure Go is correctly installed and accessible in your system's PATH. Verify that `go mod graph` runs without errors in your project directory. Check your `go.mod` for syntax errors or unresolvable modules.","cause":"The plugin couldn't execute `go mod graph` (or similar Go commands) successfully, likely due to a misconfigured Go environment, an invalid `go.mod` file, or missing Go installation.","error":"Error: Command failed: go mod graph"},{"fix":"Inspect the full `result` object returned by `inspect` to understand its structure. Ensure the project path and manifest file provided to `inspect` are correct. Enable debug logging for the plugin if available to get more detailed error information.","cause":"The `inspect` function returned an unexpected or incomplete result object, possibly due to a problem parsing the Go project's dependencies or an internal plugin error.","error":"TypeError: Cannot read properties of undefined (reading 'dependencies')"},{"fix":"Run `npm install` or `yarn install` again in your project to ensure all dependencies are correctly installed. Clear your `node_modules` and package manager cache if the issue persists.","cause":"The internal dependency `@snyk/dep-graph` is missing, often due to an incomplete `npm install` or issues with module resolution.","error":"Error: Cannot find module '@snyk/dep-graph'"}],"ecosystem":"npm","meta_description":null}