How to Use Nancy to Improve Your Go Application Security

I believe in writing high-quality Go code, and I bet you do, too. I also know I’m not a genius and can’t write high quality code all of the time. Fortunately, a number of Go tools help me write high quality code, with less time and effort. Code linters, unit tests and TDD, and continuous integration are just a few examples.

But if you’re like me, you’ve sometimes overlooked a very important, but often invisible, aspect of code quality: security.

Security is a broad topic, and there are no silver bullets to write a perfectly secure application, but there are some tools that can help.

Here, I will describe Nancy, a free Go tool that can help improve the security of your Go applications by alerting you to any known vulnerabilities in your project’s dependencies. It’s very easy to incorporate Nancy into your CI pipeline and to run Nancy manually. I’ll show you how.

Introducing Nancy

“Hello. I’m Nancy Drew. It’s nice to meet you. May I ask who you are?” —Nancy Drew, Nancy Drew (2007)

nancyReader, meet Nancy. Nancy, meet Reader.

Nancy, as you may know by reputation, is a detective. She uses Sonatype’s OSS Index to check for vulnerabilities in your Go dependencies.

Named after the fictional detective, Nancy works by scanning your Gopkg.lock file (if you use dep) or go.sum (if you use Go modules). From these files, Nancy consults the OSS Index for known vulnerabilities in your dependencies, and if any are found, an error message is reported. But enough talk, let’s take a look!


“A reporter has the right to do things an ordinary person shouldn’t.” —Nancy Drew, Nancy Drew … Reporter (1939)

As Nancy is a tool written in Go, and Go compiles to a static (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Jonathan Hall. Read the original post at: