Private modules and proxies
Configure `GOPRIVATE` and related settings intentionally so private code stays private while public modules keep proxy and checksum protections.
Canonical guidance
- set
GOPRIVATEfor private module path prefixes - scope
GONOSUMDBorGONOPROXYnarrowly when needed - keep proxy and checksum protections for public modules
Use when
- internal company modules
- mixed public and private dependency graphs
- corporate proxy or checksum policy configuration
Avoid
- disabling checksum verification for everything
- checking secrets into
go env -wscripts - debugging private module access by globally turning off protections
Preferred pattern
go env -w GOPRIVATE=example.com,github.com/acme/*
Anti-pattern
- setting
GONOSUMDB=*orGONOPROXY=*just to make one private dependency work
Explanation: This anti-pattern is tempting under delivery pressure, but it throws away safety for the entire dependency graph.
Why
- private module access is a policy boundary; it should be explicit and narrowly scoped
Related pages
Sources
- Go Modules Reference - Go Team