Nancy is a tool to check for vulnerabilities in your Go dependencies, powered by Sonatype OSS Index. Nancy currently works for projects that use dep or go mod for dependencies.

You can see an example of using nancy in Travis-CI at this intentionally vulnerable repo we made.


A portion of the Go ecosystem doesn't use proper versions, and instead uses a commit hash to resolve your dependency. Dependencies like this will not work with Nancy quite yet, as we don't have a mechanism on Sonatype OSS Index to lookup vulnerabilities in that manner.


You can install the pre-compiled binary (in several different ways) or compile from source.

Download release binary

Homebrew (macOS)

$ brew tap sonatype-nexus-community/tap
$ brew install nancy

Manual Download

Download the pre-compiled binaries from the releases page and copy to the desired location.

Build from source

# clone it outside GOPATH
git clone
cd nancy

# get dependencies using go modules (needs go 1.11+)
go get ./...

# build
go build -o nancy .

# check it works
./nancy -version

About Nancy

Nancy Drew was the first female detective used extensively in literature, and gave women across the world a new hero. This project is called Nancy as like the great detective herself, it looks for problems you might not be aware of, and gives you the information to help put them to an end!