securego/gosec

★ 8,815GoAudience · developerComplexity · 2/5LicenseSetup · easy

Mindmap

mindmap
  root((gosec))
    What it does
      Scans Go source code
      Finds security issues
      Static analysis
    Rule Categories
      Injection risks
      Crypto weaknesses
      File handling
      Taint analysis
    Output Formats
      Plain text
      JSON
      SARIF
    Use Cases
      CI security gates
      PR checks
      Code auditing

mindmap root((gosec)) What it does Scans Go source code Finds security issues Static analysis Rule Categories Injection risks Crypto weaknesses File handling Taint analysis Output Formats Plain text JSON SARIF Use Cases CI security gates PR checks Code auditing

Click or tap to explore — scroll the page freely

Things people build with this

USE CASE 1

Scan a Go project locally for hardcoded credentials, SQL injection risks, and weak cryptography before code review.

USE CASE 2

Add gosec to a GitHub Actions workflow to automatically flag security issues on every push or pull request.

USE CASE 3

Use taint analysis to trace user-supplied input through your code to dangerous operations like shell commands or database queries.

USE CASE 4

Export findings as SARIF to display security alerts directly on GitHub's security tab without a separate dashboard.

Tech stack

Getting it running

Difficulty · easy Time to first run · 5min

Requires Go 1.25 or newer to install.

Apache 2.0 license, use, modify, and distribute freely including in commercial products, with attribution.

In plain English

gosec is a command-line tool that scans Go source code for security problems before the code ever runs. You point it at your Go project, and it analyzes the code to look for common mistakes that could lead to security vulnerabilities, such as hardcoded passwords, weak encryption, SQL injection risks, unsafe file handling, and more. The tool works by reading the structure of your Go code (the abstract syntax tree and a secondary representation called SSA) and applying a set of rules to flag patterns that are known to be risky. Rules are grouped by category: general secure coding issues, injection risks, file and path handling, cryptographic weaknesses, blocklisted library imports, Go-specific checks, and taint analysis. Taint analysis is the more advanced mode, which tracks data flowing from user-supplied input to potentially dangerous operations like database queries or shell commands. You can run gosec locally with a single install command, or add it as a step in a GitHub Actions workflow so that it checks every push or pull request automatically. Results can be written as plain text, JSON, or SARIF format. The SARIF format integrates directly with GitHub's code scanning feature, which displays findings as security alerts on the repository. The tool supports running all rules by default or selecting a specific subset using include and exclude flags. Individual findings can also be suppressed inline in code when a developer decides a flagged pattern is not a real risk in a particular case. This is an Apache-licensed open-source project maintained by the securego organization. It requires Go 1.25 or newer to install.

Copy-paste prompts

Prompt 1

How do I install gosec and run it against my Go project to find all security vulnerabilities?

Prompt 2

Show me the GitHub Actions YAML to add gosec security scanning to every pull request on my Go repository.

Prompt 3

I have a gosec finding flagging a SQL injection risk but I know it's a false positive in this specific case. How do I suppress just that one finding inline?

Prompt 4

Which gosec rules specifically check for cryptographic weaknesses and how do I run only those rules on my project?

Prompt 5

How do I export gosec results as SARIF and upload them to GitHub Code Scanning to show alerts in the Security tab?

Open on GitHub → Explain another repo

← securego on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.