Scan a Go project locally for hardcoded credentials, SQL injection risks, and weak cryptography before code review.
Add gosec to a GitHub Actions workflow to automatically flag security issues on every push or pull request.
Use taint analysis to trace user-supplied input through your code to dangerous operations like shell commands or database queries.
Export findings as SARIF to display security alerts directly on GitHub's security tab without a separate dashboard.
| securego/gosec | patrickmn/go-cache | apex/up | |
|---|---|---|---|
| Stars | 8,815 | 8,820 | 8,803 |
| Language | Go | Go | Go |
| Setup difficulty | easy | easy | moderate |
| Complexity | 2/5 | 2/5 | 3/5 |
| Audience | developer | developer | developer |
Figures from each repo's GitHub metadata at analysis time.
Requires Go 1.25 or newer to install.
gosec is a command-line tool that scans Go source code for security problems before the code ever runs. You point it at your Go project, and it analyzes the code to look for common mistakes that could lead to security vulnerabilities, such as hardcoded passwords, weak encryption, SQL injection risks, unsafe file handling, and more. The tool works by reading the structure of your Go code (the abstract syntax tree and a secondary representation called SSA) and applying a set of rules to flag patterns that are known to be risky. Rules are grouped by category: general secure coding issues, injection risks, file and path handling, cryptographic weaknesses, blocklisted library imports, Go-specific checks, and taint analysis. Taint analysis is the more advanced mode, which tracks data flowing from user-supplied input to potentially dangerous operations like database queries or shell commands. You can run gosec locally with a single install command, or add it as a step in a GitHub Actions workflow so that it checks every push or pull request automatically. Results can be written as plain text, JSON, or SARIF format. The SARIF format integrates directly with GitHub's code scanning feature, which displays findings as security alerts on the repository. The tool supports running all rules by default or selecting a specific subset using include and exclude flags. Individual findings can also be suppressed inline in code when a developer decides a flagged pattern is not a real risk in a particular case. This is an Apache-licensed open-source project maintained by the securego organization. It requires Go 1.25 or newer to install.
gosec is a command-line tool that scans Go source code for security vulnerabilities, hardcoded passwords, SQL injection risks, weak encryption, unsafe file handling, before your code ever runs.
Mainly Go. The stack also includes Go.
Apache 2.0 license, use, modify, and distribute freely including in commercial products, with attribution.
Setup difficulty is rated easy, with roughly 5min to a first successful run.
Mainly developer.
This repo across BitVibe Labs
Verify against the repo before relying on details.