PkgRadar

Coverage go

Go modules proxy.golang.org

Go. Modules are immutable in the public proxy, so the supply-chain surface is install-time init() side effects, cgo C code, build-tagged stubs, and `replace` redirects. The module zip is fetched from proxy.golang.org and walked for indicator filenames and cross-language exec/network/exfil string signals.

Packages scanned

2.1M

High risk

4,634

Review

385.5K

High-severity findings

5,197

Last scan

5m ago

Install-time attack surface

build-tagged init() functions, cgo preamble, `go:generate` directives, and `replace` clauses

Supported lockfile formats

Spec format

pkgradar gate --ecosystem go github.com/sirupsen/[email protected]

Recent activity

The corpus-wide release feed lives on /campaigns. A per-ecosystem release feed for Go modules is on the roadmap — the stats above are filtered to this ecosystem in the meantime.

Other ecosystems