Scanning Go projects

To enable Fortify ScanCentral SAST clients to package Go projects for remote translation and scan, the following requirements must be met:

• The Go compiler must be installed on the client to resolve project dependencies.

• The Go compiler executable location must be available in the PATH variable.

• Configure the Go environment variables. For example, to use a specific Go proxy, configure it as follows:

  set GOPROXY=.... (Windows)

  export GOPROXY=... (Linux)

  Sensors do not require a connection to a Go proxy website to resolve dependencies because they run Go translation with GOPROXY=off configured. Also, the vendor directory under the project root has all the required dependencies. The sensor rewrites the GOFLAGS system variable with GOFLAGS=-mod=vendor when it runs an OpenText SAST translation.

• The Go project must include a go.mod file.

• OpenText recommends that the Go project includes a go.sum file to ensure that dependencies restored with go mod vendor works successfully.

To prevent Fortify ScanCentral SAST from automatically restoring dependencies using go mod vendor, include the -skipBuild option in the scan request command. If dependencies were already restored before running Fortify ScanCentral SAST, they are included in the project package that is sent to the Controller.