loading
loading
Static Code Analysis
Inspect Go source code for security problems by scanning the Go AST.
overview
gosec analyzes Go source by walking the abstract syntax tree and matching it against a ruleset for common security mistakes: hardcoded credentials, unsafe SQL string building, weak crypto, command injection, and unchecked errors. Because it reasons about parsed code instead of running it, it catches issues that never reach a test or a live target.
Every rule carries an id, so you dial coverage with -include and -exclude lists and filter the report by -severity and -confidence to keep a run focused on what matters. Output ships in many formats, including JSON, SARIF, and JUnit XML, which makes gosec straightforward to wire into a CI gate or a findings pipeline.
Reach for gosec when the artifact you have is a Go repository, not a running service. Inside a Trickest workflow it takes a target directory, emits the format you choose, and routes findings into the same triage path your dynamic scanners feed.
source github.com/securego/gosec
use cases
Run gosec across a Go project's AST to surface hardcoded secrets, unsafe SQL, weak crypto, and command injection before the code ships.
Let gosec fail the workflow when issues appear, or set -no-fail to report without breaking the build while you triage the backlog.
Use -include and -exclude with rule ids, plus -severity and -confidence filters, so a run reports only the issue classes you care about.
Emit SARIF or JSON with -fmt so gosec results land in the same code-scanning and reporting flow as your dynamic scanner output for one view of risk.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| target | FOLDER | · | Target directory of Go source to scan. |
| severity | STRING | -severity | Report only issues at or above this severity (low, medium, high). |
| confidence | STRING | -confidence | Report only issues at or above this confidence (low, medium, high). |
| output-format | STRING | -fmt | Output format: json, sarif, junit-xml, html, csv, sonarqube, golint, yaml, or text. |
| exclude | STRING | -exclude | Comma-separated rule ids to skip, e.g. G104,G304. |
| include | STRING | -include | Comma-separated rule ids to run exclusively. |
| nosec | BOOLEAN | -nosec | Ignore #nosec comments and report suppressed lines anyway. |
| no-fail | BOOLEAN | -no-fail | Report issues without failing the workflow's exit code. |
Showing key inputs. gosec exposes 14 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| tags | STRING | -tags | Comma-separated list of build tags. |
| nosec | BOOLEAN | -nosec | Ignores #nosec comments when set. |
| quiet | BOOLEAN | -quiet | Only show output when errors are found. |
| tests | BOOLEAN | -tests | Scan test files. |
| target | FOLDER | · | Target directory to scan. |
| exclude | STRING | -exclude | Comma-separated list of rule ids to exclude (rule list on the tool's GitHub page). |
| include | STRING | -include | Comma-separated list of rule ids to include (rule list on the tool's GitHub page). |
| no-fail | BOOLEAN | -no-fail | Do not fail the scan even when issues are found. |
| severity | STRING | -severity | Filter out issues with a lower severity than the given value. Valid options: low, medium, high (default low). |
| nosec-tag | STRING | -nosec-tag | Set an alternative string for #nosec. Examples: #dontanalyze, #falsepositive. |
| confidence | STRING | -confidence | Filter out issues with a lower confidence than the given value. Valid options: low, medium, high (default low). |
| config-file | FILE | -conf | Optional config file. |
| exclude-dir | STRING | -exclude-dir | Exclude a folder from the scan (can be specified multiple times). |
| output-format | STRING | -fmt | Set output format. Valid options: json, yaml, csv, junit-xml, html, sonarqube, golint, sarif, or text (default text). |
example
# scan a Go project, keep high-severity findings, write SARIFgosec -severity high -confidence medium -exclude G104 -fmt sarif ./...[example.com/app/db/users.go:57] - G201 (CWE-89): SQL string formatting (Confidence: HIGH, Severity: MEDIUM) > 57: query := fmt.Sprintf("SELECT * FROM users WHERE id = %s", userID) [example.com/app/auth/token.go:23] - G101 (CWE-798): Potential hardcoded credentials (Confidence: LOW, Severity: HIGH) > 23: signingKey := "s3cr3t-signing-key-do-not-ship" Summary: Files : 214 Lines : 41833 Issues : 9guidance
Use gosec when you have Go source to analyze, not a running target. It is Go-specific, so for other languages use a multi-language engine like semgrep. Pair static analysis with dynamic scanners: gosec reasons about the code, a scanner tests the deployed app.
Multi-language pattern-based analysis. gosec is Go-specific and ships Go security rules out of the box.
Python-only security linter. Same idea as gosec for a different language.
Scans images and code for vulnerabilities and misconfigurations. Broader scope than gosec's Go-AST checks.
faq
related
Find common security issues in Python code.
A source code scanner that reviews Ruby code for security issues.
Analyze big volumes of data in search of hardcoded secrets like keys and passwords.
Git ripper that can rip repositories even when directory browsing is turned off.
Check whether a Git repository pulls in Log4J, and list the files that use it.
Detect hardcoded secrets like passwords, API keys, and tokens in git repos.
Go source feeds gosec, which scans the AST against its ruleset and writes the security findings as a queryable output.
Facts on this page come from the live Trickest tool library.