whatisgithub

What is gosec?

securego/gosec — explained in plain English

Analysis updated 2026-06-24

8,815GoAudience · developerComplexity · 2/5LicenseSetup · easy

In one sentence

gosec is a command-line tool that scans Go source code for security vulnerabilities, hardcoded passwords, SQL injection risks, weak encryption, unsafe file handling, before your code ever runs.

Mindmap

mindmap
  root((gosec))
    What it does
      Scans Go source code
      Finds security issues
      Static analysis
    Rule Categories
      Injection risks
      Crypto weaknesses
      File handling
      Taint analysis
    Output Formats
      Plain text
      JSON
      SARIF
    Use Cases
      CI security gates
      PR checks
      Code auditing
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Scan a Go project locally for hardcoded credentials, SQL injection risks, and weak cryptography before code review.

USE CASE 2

Add gosec to a GitHub Actions workflow to automatically flag security issues on every push or pull request.

USE CASE 3

Use taint analysis to trace user-supplied input through your code to dangerous operations like shell commands or database queries.

USE CASE 4

Export findings as SARIF to display security alerts directly on GitHub's security tab without a separate dashboard.

What is it built with?

Go

How does it compare?

securego/gosecpatrickmn/go-cacheapex/up
Stars8,8158,8208,803
LanguageGoGoGo
Setup difficultyeasyeasymoderate
Complexity2/52/53/5
Audiencedeveloperdeveloperdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · easy Time to first run · 5min

Requires Go 1.25 or newer to install.

Apache 2.0 license, use, modify, and distribute freely including in commercial products, with attribution.

So what is it?

gosec is a command-line tool that scans Go source code for security problems before the code ever runs. You point it at your Go project, and it analyzes the code to look for common mistakes that could lead to security vulnerabilities, such as hardcoded passwords, weak encryption, SQL injection risks, unsafe file handling, and more. The tool works by reading the structure of your Go code (the abstract syntax tree and a secondary representation called SSA) and applying a set of rules to flag patterns that are known to be risky. Rules are grouped by category: general secure coding issues, injection risks, file and path handling, cryptographic weaknesses, blocklisted library imports, Go-specific checks, and taint analysis. Taint analysis is the more advanced mode, which tracks data flowing from user-supplied input to potentially dangerous operations like database queries or shell commands. You can run gosec locally with a single install command, or add it as a step in a GitHub Actions workflow so that it checks every push or pull request automatically. Results can be written as plain text, JSON, or SARIF format. The SARIF format integrates directly with GitHub's code scanning feature, which displays findings as security alerts on the repository. The tool supports running all rules by default or selecting a specific subset using include and exclude flags. Individual findings can also be suppressed inline in code when a developer decides a flagged pattern is not a real risk in a particular case. This is an Apache-licensed open-source project maintained by the securego organization. It requires Go 1.25 or newer to install.

Copy-paste prompts

Prompt 1
How do I install gosec and run it against my Go project to find all security vulnerabilities?
Prompt 2
Show me the GitHub Actions YAML to add gosec security scanning to every pull request on my Go repository.
Prompt 3
I have a gosec finding flagging a SQL injection risk but I know it's a false positive in this specific case. How do I suppress just that one finding inline?
Prompt 4
Which gosec rules specifically check for cryptographic weaknesses and how do I run only those rules on my project?
Prompt 5
How do I export gosec results as SARIF and upload them to GitHub Code Scanning to show alerts in the Security tab?

Frequently asked questions

What is gosec?

gosec is a command-line tool that scans Go source code for security vulnerabilities, hardcoded passwords, SQL injection risks, weak encryption, unsafe file handling, before your code ever runs.

What language is gosec written in?

Mainly Go. The stack also includes Go.

What license does gosec use?

Apache 2.0 license, use, modify, and distribute freely including in commercial products, with attribution.

How hard is gosec to set up?

Setup difficulty is rated easy, with roughly 5min to a first successful run.

Who is gosec for?

Mainly developer.

Open on GitHub → Ask about another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.