sourcepulse logobeta
HomeBrowse all repos

gosec  by securego

Go security checker for scanning Go AST and SSA code

created 9 years ago
8,382 stars

Top 6.2% on sourcepulse

GitHubView on GitHub
4 Experts Love This Project
bcherny
Boris Cherny
Creator of Claude Code; MTS at Anthropic
gakonst
Georgios Konstantopoulos
CTO, General Partner at Paradigm
calvinfo
Calvin French-Owen
Coounder of Segment
dknecht
Dane Knecht
CTO of Cloudflare
Project Summary

gosec is a Go security checker that inspects source code for security vulnerabilities by analyzing the Go Abstract Syntax Tree (AST) and Static Single Assignment (SSA) representations. It helps developers identify and mitigate common security risks in their Go applications, supporting integration with CI/CD pipelines and offering various output formats for reporting.

How It Works

gosec scans Go source code by parsing it into an AST and then into an SSA representation. This allows for deeper analysis of code flow and data propagation, enabling the detection of a wide range of security issues, from hardcoded credentials and insecure TLS configurations to potential denial-of-service vulnerabilities and improper file permissions. Its rule-based approach is extensible, with a comprehensive list of checks mapped to CWEs.

Quick Start & Requirements

  • Install via go install github.com/securego/gosec/v2/cmd/gosec@latest or using the provided install script.
  • Requires Go toolchain.
  • Official documentation: https://github.com/securego/gosec

Highlighted Details

  • Detects over 100 security vulnerabilities across various categories.
  • Supports AI-assisted vulnerability fixing suggestions (e.g., using Gemini).
  • Integrates with GitHub Actions for automated security scanning and SARIF output.
  • Offers extensive configuration options for rule selection, exclusion, and output formats (JSON, SARIF, SonarQube, etc.).

Maintenance & Community

  • Actively maintained by the securego community.
  • Development information available in CONTRIBUTING.md.
  • Release process involves tagging and automated builds/publishing via goreleaser.

Licensing & Compatibility

  • Licensed under the Apache License, Version 2.0.
  • Permissive license suitable for commercial use and integration into closed-source projects.

Limitations & Caveats

  • Some rules may require specific Go versions or have known limitations (e.g., G601 for Go 1.21 or lower).
  • AI-assisted fixing relies on external API providers and requires API keys.
  • False positives are possible and can be suppressed via #nosec comments or configuration.
Health Check
Last commit

5 days ago

Responsiveness

1 day

Pull Requests (30d)
8
Issues (30d)
3
Star History
219 stars in the last 90 days

Explore Similar Projects

Starred by Travis Fischer Travis Fischer(Founder of Agentic) and Joe Walnes Joe Walnes(Head of Experimental Projects at Stripe).

mcp-shield by riseandignite

0.6%
494
CLI tool for MCP server security scanning
created 3 months ago
updated 3 months ago
Starred by Alexey Milovidov Alexey Milovidov(Cofounder of Clickhouse).

gato-x by AdnaneKhan

0.5%
381
Static analysis & exploit toolkit for GitHub Actions pipelines
created 1 year ago
updated 2 weeks ago

vet by safedep

3.8%
618
SCA tool for supply chain security
created 2 years ago
updated 3 days ago

legitify by Legit-Labs

0%
813
CLI tool for detecting SCM misconfigurations and security risks
created 3 years ago
updated 4 months ago

finite-monkey-engine by BradMoonUESTC

1.8%
278
AI engine for smart contract audit
created 1 year ago
updated 5 days ago

zk-bug-tracker by 0xPARC

0.4%
680
ZK bug/vulnerability database for apps using zero-knowledge crypto
created 2 years ago
updated 7 months ago

SecGPT by ZacharyZcR

0.7%
288
Security agent emulating AutoGPT for network security tasks
created 2 years ago
updated 1 year ago

DeepSeekSelfTool by ChinaRan0

0.3%
618
AI cybersecurity toolkit by DeepSeek for network security tasks
created 6 months ago
updated 5 months ago

AI-Infra-Guard by Tencent

1.7%
2k
AI infrastructure vulnerability scanner & MCP server security analyzer
created 7 months ago
updated 1 day ago
Starred by Dan Guido Dan Guido(Cofounder of Trail of Bits).

vulnhuntr by protectai

13.5%
2k
LLM-powered tool for zero-day vulnerability discovery via static code analysis
created 9 months ago
updated 5 months ago
Starred by Travis Fischer Travis Fischer(Founder of Agentic), Tom Brown Tom Brown(Cofounder of Anthropic), and
5 more.

trufflehog by trufflesecurity

0.3%
20k
CLI tool to find, verify, and analyze leaked credentials in various data sources
created 8 years ago
updated 1 day ago

Scanners-Box by We5ter

0.1%
9k
Hacker toolkit for security automation, collecting open-source scanners
created 8 years ago
updated 8 months ago
Feedback? Help us improve.