GitHub brings its suite of supply chain security features to Go

Ryan Daws is a senior editor at TechForge Media with over a decade of experience in crafting compelling narratives and making complex topics accessible. His articles and interviews with industry leaders have earned him recognition as a key influencer by organisations like Onalytica. Under his leadership, publications have been praised by analyst firms such as Forrester for their excellence and performance. Connect with him on X (@gadget_ry) or Mastodon (

Go is receiving a boost from GitHub with the company bringing its supply chain security features to the Google-designed language.

According to GitHut, Go is currently the fourth most-popular language on GitHub. The Go community embraced GitHub and now the company is returning the favour by helping them to discover, report, and prevent security vulnerabilities.

Steve Francia, Product Lead of Go Language at Google, said:

“Go was created, in part, to address the problem of managing dependencies in large-scale software. GitHub is the most popular host for open-source Go modules. 

The features announced today will help not just GitHub users but anyone who depends on GitHub-hosted modules.

We are thrilled that GitHub is investing in improvements that benefit the entire Go ecosystem, and we look forward to more collaborations with them in the future.”

So far, GitHub has published over 150 Go security advisories—a number that is growing every day. Go module maintainers can use these advisories for the coordinated disclosure of vulnerabilities.

In addition to security advisories, developers can be alerted to vulnerable dependencies through GitHub’s dependency graph. To view a repository’s detected dependencies, select the repository’s Insights tab, then select Dependency graph from the sidebar on the left.

Dependency graph is turned on by default for public repos but must be enabled manually for private.

Dependabot alerts will notify developers if a vulnerability is discovered in Go modules they’re using. If a vulnerable dependency is detected, Dependabot security updates can provide a pull request that auto-upgrades vulnerable Go modules to a version without the issue.

GitHub claims that it’s found that repos which automatically generate pull requests to update vulnerable dependencies patch their software 40 percent faster.

GitHub’s decision to bring its supply chain security features to Go is sure to be welcomed by the community and should help to protect software developed using the language.

(Image Credit: GitHub)

Want to learn about DevOps from leaders in the space? Check out the DevOps-as-a-Service Summit, taking place on February 1 2022, where attendees will learn about the benefits of building collaboration and partnerships in delivery.

Tags: , , , , , , , , ,

View Comments
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *