Setup Go Proxy with DevGuard Dependency Proxy
The XZ Utils backdoor discovered in 2024 (CVE-2024-3094) was a stark reminder that supply chain attacks are not limited to dynamic language ecosystems — a malicious contributor spent years gaining trust before inserting a backdoor into a widely deployed compression library. While the Go module proxy protocol provides strong integrity guarantees through checksums, it does not protect against modules that are malicious by design. The DevGuard dependency proxy adds that missing layer, checking every module against the OSV dataset before it is written to your module cache.
- Registry URL:
<your-devguard-url>/api/v1/dependency-proxy/go
Configuration
Set the GOPROXY environment variable to point at DevGuard. Go will use it for all subsequent module downloads in that shell session:
To make this permanent, add it to your CI environment or shell profile. For project-scoped configuration, set it in your CI/CD platform's environment variable configuration alongside your other build variables. Then use go get as usual:
Testing
DevGuard ships a test module that is permanently flagged as malicious:
If the request is blocked, the proxy is working correctly. Legitimate modules in the same session will resolve normally.