Dependabot can now update private Go modules hosted on enterprise registries and behind GOPROXY-compatible private proxies, as well as public modules, within the same workflow. This enables automated version and security updates for internal Go libraries.

What’s new

A Dependabot community request highlighted the need to set GOPROXY and GOPRIVATE to authenticate to private registries, proxies, and vanity URLs. Dependabot has expanded support for Go modules, making it easier to keep dependencies up to date across a variety of environments. Go private registry support is compatible with JFrog Artifactory and Nexus.

Configure your private registry using the dependabot.yml file with the goproxy-server type.

Environment configuration using go.env
You can also optionally configure how the Go toolchain accesses your proxy server by creating a go.env file in your repository root. This file allows you to set environment variables like GOPROXY, GOPRIVATE, GONOSUMDB, and GOSUMDB to control how Go modules are resolved.

This feature enables unified dependency management for both public and private Go modules within a single Dependabot workflow, making it ideal for organizations using corporate artifact management systems like JFrog Artifactory or Nexus. Alternatively, GitHub Advanced Security customers can use the organization UI to manage credentials centrally.

Learn more

This feature is available on github.com today and coming to GitHub Enterprise Server (GHES) in 3.20.

Join the discussion within the Dependabot community.