gosec

gosec is a command-line tool that scans Go source code for security problems before the code ever runs. You point it at your Go project, and it analyzes the code to look for common mistakes that could lead to security vulnerabilities, such as hardcoded passwords, weak encryption, SQL injection risks, unsafe file handling, and more.

The tool works by reading the structure of your Go code (the abstract syntax tree and a secondary representation called SSA) and applying a set of rules to flag patterns that are known to be risky. Rules are grouped by category: general secure coding issues, injection risks, file and path handling, cryptographic weaknesses, blocklisted library imports, Go-specific checks, and taint analysis. Taint analysis is the more advanced mode, which tracks data flowing from user-supplied input to potentially dangerous operations like database queries or shell commands.

You can run gosec locally with a single install command, or add it as a step in a GitHub Actions workflow so that it checks every push or pull request automatically. Results can be written as plain text, JSON, or SARIF format. The SARIF format integrates directly with GitHub's code scanning feature, which displays findings as security alerts on the repository.

The tool supports running all rules by default or selecting a specific subset using include and exclude flags. Individual findings can also be suppressed inline in code when a developer decides a flagged pattern is not a real risk in a particular case.

This is an Apache-licensed open-source project maintained by the securego organization. It requires Go 1.25 or newer to install.