QP22 Go Module Presence
What this means
SiteShadow flagged missing Go module signals (like go.mod / go.sum) or patterns suggesting dependency management isn't standardized.
Why it matters
- Reproducibility suffers without consistent dependency resolution.
- Supply-chain risk increases when dependencies aren't pinned/recorded.
- Harder security patching when you can't quickly identify/upgrade vulnerable deps.
Safer examples
1) Use Go modules (go.mod + go.sum)
Commit both files and keep them updated as dependencies change.
2) Keep dependencies minimal and reviewed
Avoid pulling in large dependency trees without justification.
3) Run dependency checks in CI
Track vulnerable dependencies and keep Go version/tooling consistent across environments.
How SiteShadow detects it (high level)
- Detects missing module files and inconsistent dependency signals in Go repos.
- Flags repos where dependency provenance/pinning appears weak.
References
- Go Modules: https://go.dev/ref/mod
---