godeps-guard

Securing the supply chain of enterprise Go applications.

tech stack

GoCI/CDSecurityGitHub Actions

The Problem

As Go projects grow, dependency bloat and "dependency confusion" attacks become significant risks. Manual audits are slow, and identifying the impact of a single new dependency across a large graph is nearly impossible for developers at the moment of a Pull Request.

What I Built

I built godeps-guard, a CLI tool that integrates into CI pipelines to automatically analyze every dependency change. It evaluates the impact of new imports against a security policy and provides instant feedback to engineers directly in their PRs.

Architecture & Approach

The tool uses the `go list -json -m all` command to parse the dependency graph. It then maps the differences between the current branch and the main branch, identifying "Suspicious" or "Unauthorized" additions based on a configurable allow-list or vulnerability heuristics.

Impact & Results

Eliminated manual dependency audits for 3 active internal projects.

Reduced average binary size by 12% by catching "heavy" transitive dependencies early.

Identified and blocked 2 unauthorized dependency injections during initial rollout.

Key Decisions & Tradeoffs

I chose to build this in Go to ensure zero-dependency installation on CI runners and to leverage Go's powerful reflect and AST packages for deep code analysis later in the roadmap.