GitHub brings its suite of supply chain security features to Go

Ryan Daws is a senior editor at TechForge Media, with a seasoned background spanning over a decade in tech journalism. His expertise lies in identifying the latest technological trends, dissecting complex topics, and weaving compelling narratives around the most cutting-edge developments. His articles and interviews with leading industry figures have gained him recognition as a key influencer by organisations such as Onalytica. Publications under his stewardship have since gained recognition from leading analyst houses like Forrester for their performance. Find him on X (@gadget_ry) or Mastodon (@gadgetry@techhub.social)


Go is receiving a boost from GitHub with the company bringing its supply chain security features to the Google-designed language.

According to GitHut, Go is currently the fourth most-popular language on GitHub. The Go community embraced GitHub and now the company is returning the favour by helping them to discover, report, and prevent security vulnerabilities.

Steve Francia, Product Lead of Go Language at Google, said:

“Go was created, in part, to address the problem of managing dependencies in large-scale software. GitHub is the most popular host for open-source Go modules. 

The features announced today will help not just GitHub users but anyone who depends on GitHub-hosted modules.

We are thrilled that GitHub is investing in improvements that benefit the entire Go ecosystem, and we look forward to more collaborations with them in the future.”

So far, GitHub has published over 150 Go security advisories—a number that is growing every day. Go module maintainers can use these advisories for the coordinated disclosure of vulnerabilities.

In addition to security advisories, developers can be alerted to vulnerable dependencies through GitHub’s dependency graph. To view a repository’s detected dependencies, select the repository’s Insights tab, then select Dependency graph from the sidebar on the left.

Dependency graph is turned on by default for public repos but must be enabled manually for private.

Dependabot alerts will notify developers if a vulnerability is discovered in Go modules they’re using. If a vulnerable dependency is detected, Dependabot security updates can provide a pull request that auto-upgrades vulnerable Go modules to a version without the issue.

GitHub claims that it’s found that repos which automatically generate pull requests to update vulnerable dependencies patch their software 40 percent faster.

GitHub’s decision to bring its supply chain security features to Go is sure to be welcomed by the community and should help to protect software developed using the language.

(Image Credit: GitHub)

Want to learn about DevOps from leaders in the space? Check out the DevOps-as-a-Service Summit, taking place on February 1 2022, where attendees will learn about the benefits of building collaboration and partnerships in delivery.

Tags: , , , , , , , , ,

View Comments
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *