Golang developers care a lot about security and as Go modules become more widely used, they need more ways to assure these publicly shared packages are safe.

One unique feature included with Golang version 1.13 is the foresight that went into authentication and security for Go modules. When a developer creates a new module or a new version of an existing module, a go.sum file included there creates a list of SHA-256 hashes that are unique to that module version. That go.sum file is then sent to Google’s official checksum database where it is stored and used to verify that modules haven’t been tampered with when accessed later by a GOPROXY. This helps keep the integrity of packages intact. In this talk, we’ll go over the behavior of the checksum database, how it protects Go modules, and how the merkle-tree works.

Now, while the checksum authentication feature helps create trust among developers, it isn’t fully tamperproof. If a vulnerability is introduced in the original module’s files, the gosumdb will only be able to indicate that the module wasn’t changed later. This doesn’t solve the problem of malicious code being introduced in the very first commit.

Luckily, GoCenter can now tell you when any Go module has a known vulnerability. We’ve brought the power of JFrog Xray’s security scanning to this reliable repository of Go modules for the Golang developer community.

Go 1.13 introduced important security features to Go Modules including a checksumdb. We’ll explain how this works and provide info on other tools that keep modules secure. GoCenter now has vulnerability scanning capabilities so developers can check for security issues.