If you’re a Golang developer using Visual Studio Code, keeping at-risk Go Modules out of your apps just got easier, and for free.
JFrog extension for VS Code is available for free download. This integration brings live vulnerability information about every public Go Module being used directly into your source editor from the metadata of JFrog GoCenter. This means that you can be aware of potential risks from your open-source Go Modules and make better choices, even before your first build.
VS Code has become the source editor of choice for many Golang coders, including some of our own developers at JFrog. It’s among several JFrog integrations for popular IDEs provided for customers of JFrog Xray, making the risks of open-source dependencies more visible to developers, and helping to shift-left security vigilance.
To help fulfill our mission of making software development and delivery faster, more secure, and more reliable, we’ve taken our VS Code extension to the next level. By drawing from the Go module vulnerabilities data available in GoCenter, VS Code users can benefit even without a licensed instance of Xray.
Once the extension is installed, you can see all of this information in VS Code while hovering over the module in the go.mod file.
VS Code doesn’t only show this information for your direct module dependencies. You can also see indirect (transitive) dependencies, in a hierarchical tree view.
You can jump from the module in the go.mod directly to the tree view and do the same from the tree to the module definition in the go.mod.
You can also navigate directly into the GoCenter’s UI and see even more information about the module under the Security tab.
With such accelerating growth of the Go Module ecosystem, it becomes ever more important to have insight into the dependencies you use. Jfrog’s extension for VS Code can help relieve the stress of managing vulnerabilities for the other languages you use in VS Code. It can reveal risks in many packages like Maven, Gradle, npm, NuGet, RubyGems, and PHP Composer and can also identify dependencies that don’t match your organization’s license policies.
We hope you’ll like this new feature of the JFrog VS Code Extension, and that it helps show the value of using GoCenter as your GOPROXY. We are working very hard to create even more value for the Go community, which we are proud to be part of. The extension is open source and GoCenter was built free for the community, so you’re welcome to join us and contribute feedback to this project.