Sonatype Latest Press Releases & News | Sonatype

Sonatype Delivers Fully Automated Security Solution for Go Programming Language | Sonatype

Written by Elissa Walters | July 24, 2019

The Nexus Platform now enables Go development teams to automatically control open source risk across the entire software development lifecycle

SAN DIEGO – GopherCon - July 24, 2019 -- Today, Sonatype, the inventors of software supply chain automation, announced full support for Go (Golang) across the Nexus Platform, giving Go development teams an easy way to manage Go packages and automatically eliminate security risk across the entire software development lifecycle, including production applications.  With the addition of Go, the Nexus Platform now supports 42 programming languages and package formats, further meeting the diverse needs of enterprise development teams. 

One of the world’s fastest growing programming languages, Golang has seen incredible growth among developers and has been readily embraced at leading tech companies. However, as the language grows in popularity, the potential for third-party packages to introduce vulnerabilities within development and production applications only increases. 

“As we look toward the future of software development, Go is likely to become the primary language for server side development. It’s simple, straightforward and easy to learn; it’s clear why so many developers love it,” said Brian Fox, CTO of Sonatype. “Furthermore, because Go is supported by a vibrant community, the number of Go packages available to front-line developers will continue to grow rapidly.  And, as we’ve seen time and time before, when developers use third-party packages to build applications, it’s critical for their organizations to understand the quality, security, and licensing of those packages.”

“Go is steadily rising towards being the de facto language for servers and CLI tools, among other categories. The addition of formal package management support to the toolchain will only accelerate this process. Sonatype has implemented a range of supporting services that allow an organization to manage a private Go package ecosystem, but also adds in automated software supply chain management and intelligence on known security vulnerabilities,” said Sam Boyer, lead engineer of the predecessor to Go modules. “Good data about OSS vulnerabilities is hard to come by in any language, and Sonatype has earned its well-deserved reputation by making it easier for developers to access this information.“

With the addition of new Nexus Platform capabilities that enable Go support, Nexus continues to expand its coverage across popular programming languages and package formats.  Now, Go development teams can leverage the Nexus Platform to secure their entire SDLC in an automated fashion using:

  • Nexus Repository to proxy Go remote repositories using Go Mod along with the GOPROXY environment variable 
  • Nexus Firewall to stop risk at the front door, by developing policies that automatically prevent vulnerable or compromised Go packages from entering the software development lifecycle
  • Nexus Lifecycle to automatically and contextually enforce policies across the entire SDLC and ensure that Go applications contain secure packages 
  • Nexus integrations to continuously enforce policies within popular pipeline tools used by Go developers, including Jenkins, GitHub, Jira, and Maven, Eclipse, and VS Code.

For individual developers or organizations just getting started with open source governance, Sonatype also offers a suite of free tools including: 

  • Nexus Vulnerability Scanner - scans Go apps and creates a software bill of materials. 
  • Nexus Repository Manager OSS - proxy and manage Go binaries.
  • DepShield - uses OSS Index to check for vulnerabilities in your Go dependencies at the commit level within GitHub. 
  • OSS Index - free service used by developers to identify open source dependencies and determine if there are any known, publicly disclosed, vulnerabilities. 
  • Nancy - uses OSS Index to identify vulnerabilities in Go dependencies. Nancy is available in GitHub, but does not have access to commits. Nancy runs on a private project or local machine. 
  • Goalie - scans binaries against OSS Index data to identify component-level vulnerabilities.

Additional Resources: 

About Sonatype

More than 10 million software developers rely on Sonatype to innovate faster while mitigating security risks inherent in open source.  Sonatype’s Nexus platform combines in-depth component intelligence with real-time remediation guidance to automate and scale open source governance across every stage of the modern DevOps pipeline.  Sonatype is privately held with investments from Accel Partners, Goldman Sachs, Hummer Winblad Venture Partners and TPG. Learn more at www.sonatype.com.