Peter van der Zee
Ryan Eberhardt
April 17, 2025
We're excited to announce that Socket’s support for Go is now generally available. If your repositories include Go projects, Socket will now automatically detect your go.mod and go.sum files and scan them for potential supply chain threats—no manual configuration required.
Go support has been available in preview for several months and has proven to be stable and reliable in production. Many users have already been benefiting from Go package scanning as part of our early access rollout, and today’s launch makes that protection available to everyone.
We’ve also had Go package pages live on the Socket site for some time. With today’s release, Go joins JavaScript, Python, Java, and Ruby as generally available languages with comprehensive scanning and alerting. (We also support Scala, Kotlin, and .NET today, and these languages will soon be moving to GA.)
While supply chain attacks are more common in ecosystems like JavaScript and Python, Go is not immune. Earlier this year, Socket uncovered a campaign targeting Go developers with typosquatted packages delivering hidden malware on Linux and macOS. And in a separate case, our researchers identified a backdoored clone of the popular BoltDB package that exploited Go’s module proxy caching to persist undetected for over three years.
These attacks couldn’t be caught by looking at metadata alone—they required analyzing the actual code inside the package to uncover hidden backdoors and obfuscated behavior.
That’s why Socket doesn’t just look at a package’s version or origin. We analyze the actual code that gets installed. Our scanner detects obfuscation, network backdoors, misuse of exec.Command, and other indicators of compromise, threats that would otherwise go unnoticed, especially when the repository looks clean.
If you’re now seeing Go alerts in places where you previously weren’t, that’s expected. Socket now scans Go modules automatically. But if you’re not using Go, or would rather not see these alerts, you can adjust this in your project settings. A new setting in the dashboard makes it easy to disable alerts for specific ecosystems.
Go support is now fully rolled out across Socket, giving every user automatic protection for Go projects. As attackers find new ways to hide malicious code in seemingly trustworthy packages, Socket's ability to analyze what a package actually does—not just where it comes from—helps developers stay ahead of emerging threats.
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Product
Socket now lets you customize pull request alert headers, helping security teams share clear guidance right in PRs to speed reviews and reduce back-and-forth.
Product
Socket's Rust support is moving to Beta: all users can scan Cargo projects and generate SBOMs, including Cargo.toml-only crates, with Rust-aware supply chain checks.
Product
Socket Fix 2.0 brings targeted CVE remediation, smarter upgrade planning, and broader ecosystem support to help developers get to zero alerts.
