Module Monitoring
Source Spotter records every module version served by the Go Module Mirror and Checksum Database. You can subscribe to an Atom feed of those observations to make sure the module mirror is faithfully serving the same versions that you have released.
If you're interested in email or webhook notifications, consider GopherWatch.
Atom Feed
The feed is available at https://feeds.api.sourcespotter.com/modules/versions.atom.
It returns up to 10,000 versions (excluding pre-release versions) ordered by the time we observed them.
The feed accepts the following query parameters:
module(required) – the module path to inspect. Append a trailing slash (/) to match all modules with the given prefix.ed25519(optional) – a base64-encoded public key. When supplied, the feed only returns versions that have not been authorized by that key (see below).
For example, requesting ?module=example.com/module returns the versions of exactly that module,
while ?module=example.com/ returns every module whose path starts with
example.com/.
Try It Out
Enter the module path and optional Ed25519 public key to open the feed.
Authorizing Versions (Experimental)
Source Spotter can accept go.sum files signed by an Ed25519 key to mark module versions
as authorized. When you supply the public key's base64 representation via the
ed25519 parameter, the feed filters out the versions that have already been
authorized, allowing you to focus on unexpected releases.
To upload an authorization, POST the JSON serialization of the following Go struct
(containing an Ed25519 public key, a go.sum file, and an Ed25519 signature over
the go.sum file)
to https://v1.api.sourcespotter.com/modules/authorized:
struct {
Ed25519 []byte
GoSum string
Signature []byte
}