Compilation Instructions for Go

Compilation Guide

See the master compilation guidelines for instructions for other platforms.

Supported Go Versions

Language Version
Go 1.x

Packaging Guidance for Go

Veracode uses functionality in the standard Go compiler when analyzing applications, and requires that the application is packaged in a structure that can be compiled. Package the source directory for a single compilable Go executable as a compressed ZIP archive, and structure it as follows:
  • The ZIP archive must contain a single directory.
  • The top-level directory must include a GO file with a main() call in it, in addition to any other Go source files used by the main package.
  • Veracode uses the vendoring functionality in Go to manage third-party libraries. When building an application with Go 1.11 or later, you can use the -mod=vendor flag, or run the go mod vendor command to create the vendor directory.
    • Any third-party libraries or other internal packages must be in a subdirectory named vendor. For example: vendor/
    • Any dependencies that the application uses must be in the vendor subdirectory.

    For more information, see How do I use vendoring with modules?

  • Any packages that the application uses that are specific to the application must be contained in a subdirectory inside the app directory.
  • The application should not include any CGO dependencies or build tags that restrict the application to running only on a specific operating system.
The following is an example structure of the submitted source files:
|__ app/
   |-- main.go
   |-- [other *.go files in package main]
   |__ applicationpkg1/
      |-- [application package 1 *.go files]
   |__ applicationpkg2/
      |-- [application package 2 *.go files]
      |__ vendor/ [first- and third-party dependencies go in this folder]

Upload Requirements

  • An upload must only contain one Go module.
  • A multi-module project must be split into separate uploads.

Veracode does not support uploading a source repository that includes the source for multiple discrete Go executables or multiple modules.

Veracode cannot analyze a Go module or package without a main() function.

Configuration for Different Structures

If the application you want to analyze has a package structure that does not match the above requirement, you can include a file that describes the structure of the application.

In the root of the directory that you compress to form the ZIP archive, include a JSON file named veracode.json, with the following optional properties:

  • MainRoot: This property describes the import path relative to the enclosing directory where the main package is located. For example, if the root folder is named project, and the main file is in project/cmd/main, then the value for this configuration field is cmd/main.
  • MainPkgName: This property describes if the name of the package containing the main() function for the application is something other than main.
  • FirstParty: This property describes an array of import paths for first-party code that is located in the vendor directory.

The following is an example of the veracode.json configuration file:

    "MainRoot": "cmd/app1",
    "MainPkgName": "app1",
    "FirstParty": [
The following is an example application structure that uses a configuration file:
|__ app/
  |-- veracode.json [configuration file describing the structure]
  |__ cmd/
     |__ app1
        |-- main.go
   |__ vendor/ [first- and third-party dependencies go in this folder]
         |__ my_company/
            |__ firstpartypkg1/
            |__ firstpartypkg2/
         |__ 3rdparty

Details and Troubleshooting

Veracode uses the Go compiler to generate syntax trees to analyze the applications. The submitted archive is unzipped to an empty workspace directory. The $GOPATH environment variable is set to this workspace. Each directory in this workspace is scanned for a GO file containing a main() function, to identify the main package to compile the application.

You can validate that the application compiles by running the go build command after unzipping the file into a blank directory, or by running the go vet command on it to identify any issues with the structure of the directory and package layout. If the application is unable to compile after being unzipped into a blank directory, Veracode is unable to analyze the application.

To better understand the use of the vendor folder, review the official Go documentation.

If your application includes vendor dependencies that contain code in languages other than Go, you should remove them with the following command: find /<path>/app/vendor -type f -not -name '*.go' -delete

The Veracode Platform scans only GO files that have the GO extension.

When creating an archive of a Go application on macOS, the folder compression process creates hidden __MACOSX resource fork files that you must remove. To remove the hidden resource fork files:

  1. Run zipinfo on the Go application archive to view a list of its files.
  2. Review the list of files to verify that all resource fork files are removed.
  3. Remove resource fork files from an existing archive on macOS using the following command: zip -d __MACOSX/*