Go Support Is Now Generally Available

We're excited to announce that Socket’s support for Go is now generally available. If your repositories include Go projects, Socket will now automatically detect your go.mod and go.sum files and scan them for potential supply chain threats—no manual configuration required.

Go support has been available in preview for several months and has proven to be stable and reliable in production. Many users have already been benefiting from Go package scanning as part of our early access rollout, and today’s launch makes that protection available to everyone.

We’ve also had Go package pages live on the Socket site for some time. With today’s release, Go joins JavaScript, Python, Java, and Ruby as generally available languages with comprehensive scanning and alerting. (We also support Scala, Kotlin, and .NET today, and these languages will soon be moving to GA.)

Go Is Not Immune to Supply Chain Attacks#

While supply chain attacks are more common in ecosystems like JavaScript and Python, Go is not immune. Earlier this year, Socket uncovered a campaign targeting Go developers with typosquatted packages delivering hidden malware on Linux and macOS. And in a separate case, our researchers identified a backdoored clone of the popular BoltDB package that exploited Go’s module proxy caching to persist undetected for over three years.

These attacks couldn’t be caught by looking at metadata alone—they required analyzing the actual code inside the package to uncover hidden backdoors and obfuscated behavior.

That’s why Socket doesn’t just look at a package’s version or origin. We analyze the actual code that gets installed. Our scanner detects obfuscation, network backdoors, misuse of exec.Command, and other indicators of compromise, threats that would otherwise go unnoticed, especially when the repository looks clean.

Managing Go Alerts#

If you’re now seeing Go alerts in places where you previously weren’t, that’s expected. Socket now scans Go modules automatically. But if you’re not using Go, or would rather not see these alerts, you can adjust this in your project settings. A new setting in the dashboard makes it easy to disable alerts for specific ecosystems.

Go support is now fully rolled out across Socket, giving every user automatic protection for Go projects. As attackers find new ways to hide malicious code in seemingly trustworthy packages, Socket's ability to analyze what a package actually does—not just where it comes from—helps developers stay ahead of emerging threats.