gosec

gosec [options] package...

gosec (Go Security Checker) inspects Go source code for security problems by analyzing the abstract syntax tree (AST) of each package against a set of built-in rules. Each rule has an identifier of the form Gnnn (for example G101 for hardcoded credentials or G401 for use of weak cryptographic primitives) and reports the file, line, severity, and confidence of every match.It is designed to run in continuous-integration pipelines: results can be emitted in machine-readable formats such as JSON, YAML, CSV, SARIF, and JUnit XML, and the exit status can be made non-zero when issues are found. Rule selection, severity and confidence thresholds, directory exclusions, and inline #nosec annotations let you tune the signal to a project's needs.

-fmt format

Set the output format: text (default), json, yaml, csv, junit-xml, html, sonarqube, golint, sarif.

Write the report to the given file instead of standard output.

Comma-separated list of rule IDs to run exclusively.

Comma-separated list of rule IDs to skip.

Exclude a directory from the scan; may be repeated.

Report only issues at the given severity or higher (low, medium, high).

Report only issues at the given confidence or higher (low, medium, high).

Include Go test files (_test.go) in the analysis.

Always exit with status 0, even when issues are found.

gosec performs static analysis and can produce false positives; use #nosec comments or rule exclusions to silence findings you have reviewed. It complements, but does not replace, runtime testing and dependency vulnerability scanning such as govulncheck.

gosec started life as gas (Go AST Scanner) and was later renamed. It is maintained by the securego community project and is widely integrated into Go CI tooling, including golangci-lint.

golangci-lint(1), staticcheck(1), semgrep(1), go(1)

Source code