What is the best way to avoid scanning dependencies in Go?

I recently activated DeepSource on a long-running Go project. It took around 8 minutes to finish the first analysis, and then I was shown way more issues than I anticipated. Turns out DeepSource analyzed the dependencies as well.

So, my question is, do we have a nice way to ask DeepSource not to scan dependencies in a Go repo?

The go analyzer supports dependencies_vendored flag which when set to true will skip dependency installation.

There are multiple ways to handle this.

  1. We can update the Go analyzer to skip vendor directory during analysis if dependencies_vendored is set to true.
  2. User should add vendor/** to exclude_patterns

The only issue I see with the first approach is, if the user vendors dependencies and wants to analyze vendor directory, there is no way for them to do so.

I did some digging, and it has been a very popular opinion that vendor directory should be ignored when using wildcard matches ...

Besides, vendor directory is meant to store source from external import paths, and, hence, should not be analyzed. We just did some changes to the Go analyzer, and are ignoring vendor directory from our analyses by default from now.

Reference: https://github.com/golang/go/commit/fa1d54c2edad607866445577fe4949fbe55166e1

1 Like

Can we have an option to analyze dependencies? This will be recommended unset by default. A config directive, combined with a checkbox in the config screen for Go analyzer.

We could, but I don’t see why it would be needed. Do you have any use-case in mind?