Gosec is the standard security linter for Go applications, trusted by thousands of developers to catch vulnerabilities before they reach production.
With over 8,600 GitHub stars, 161 contributors, and CII Best Practices certification, it has become the most widely adopted security scanner in the Go ecosystem.
It performs static analysis on Go source code using AST (Abstract Syntax Tree) and SSA (Static Single Assignment) forms to detect security issues ranging from hardcoded credentials to SQL injection vulnerabilities.
What is Gosec?
Gosec inspects Go source code for security problems by analyzing the structure and data flow of your programs.
Unlike generic linters, gosec focuses specifically on security patterns that lead to exploitable vulnerabilities.
The tool ships with a comprehensive set of rules covering the OWASP Top 10 and CWE categories, making it suitable for security-conscious development teams and compliance requirements.
Version 2.22 introduced AI-powered fix suggestions through integration with Gemini, Claude, and OpenAI-compatible APIs.
This feature provides remediation guidance directly in your terminal, helping developers fix issues faster without switching context.
Key Features
Static Analysis Engine
Gosec parses your Go code into an AST and performs data flow analysis to track how user input moves through your application.
The SSA-based analysis catches complex vulnerabilities that simple pattern matching would miss, such as tainted data reaching SQL queries through multiple function calls.
Rule Categories
The scanner includes rules for detecting hardcoded credentials, SQL injection via string concatenation, command injection, insecure cryptographic operations, weak random number generation, path traversal, and unsafe integer operations.
Each rule maps to CWE identifiers for compliance reporting.
Output Formats
Gosec produces reports in JSON, SARIF (for GitHub Code Scanning), SonarQube, JUnit XML, CSV, and HTML.
The SARIF output integrates directly with GitHub’s security tab, surfacing findings in pull requests.
Installation
Install gosec using Go’s package manager:
# Install latest version
go install github.com/securego/gosec/v2/cmd/gosec@latest
# Or use Homebrew on macOS
brew install gosec
# Docker option
docker pull securego/gosec:latest
How to Use Gosec
Run gosec against your Go project:
# Scan current directory recursively
gosec ./...
# Scan with specific rules only
gosec -include=G101,G102,G103 ./...
# Exclude test files
gosec -exclude-dir=vendor -tests=false ./...
# Generate SARIF for GitHub
gosec -fmt=sarif -out=results.sarif ./...
# Enable AI fix suggestions (requires API key)
export GOSEC_AI_API_KEY="your-api-key"
gosec -ai-provider=claude ./...
Integration
GitHub Actions
name: Security Scan
on: [push, pull_request]
jobs:
gosec:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: securego/gosec@master
with:
args: '-fmt sarif -out results.sarif ./...'
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
GitLab CI
gosec:
image: securego/gosec:latest
script:
- gosec -fmt json -out gosec-report.json ./...
artifacts:
reports:
sast: gosec-report.json
Pre-commit Hook
# .pre-commit-config.yaml
repos:
- repo: https://github.com/securego/gosec
rev: v2.22.0
hooks:
- id: gosec
When to Use Gosec
Gosec fits naturally into Go development workflows where security matters.
Use it as a pre-commit hook to catch issues before they enter your repository, in CI pipelines to gate merges on security findings, and as part of security audits to generate compliance reports.
The tool works well alongside go vet and staticcheck, adding security-specific checks those tools lack.
For teams building APIs, microservices, or CLI tools in Go, gosec provides targeted detection of the vulnerabilities most common in server-side Go code.
The zero-configuration approach means you can add it to existing projects without extensive setup.