# Gosec — Security Scanner for Go Source Code > A static analysis tool that inspects Go source code for security vulnerabilities by scanning the AST for patterns like SQL injection, hardcoded credentials, insecure crypto usage, and other common security issues. ## Install Save as a script file and run: # Gosec — Security Scanner for Go Source Code ## Quick Use ```bash # Install go install github.com/securego/gosec/v2/cmd/gosec@latest # Scan current package gosec ./... # Scan with specific rules only gosec -include=G101,G201 ./... # Output as JSON for CI integration gosec -fmt json -out results.json ./... ``` ## Introduction Gosec (Go Security Checker) performs static analysis on Go source code to find security vulnerabilities. It parses Go AST to identify patterns that commonly lead to exploitable bugs: SQL injection, command injection, hardcoded secrets, weak cryptography, insecure file permissions, and unvalidated input. Teams use it in CI pipelines to catch security issues before code reaches production. ## What Gosec Does - Scans Go source code AST for security anti-patterns and vulnerability indicators - Detects SQL injection via string concatenation in database queries - Identifies hardcoded credentials, API keys, and secret material in source files - Flags insecure use of cryptographic primitives (weak ciphers, small key sizes) - Reports issues with severity and confidence levels for prioritized remediation ## Architecture Overview Gosec loads Go packages using the standard `go/packages` loader, then walks the abstract syntax tree of each file. A set of rule analyzers (each identified by a G-number like G101, G201) inspect specific AST patterns. Rules are categorized by vulnerability class and can be individually enabled or disabled. The scanner outputs findings with file locations, severity ratings, and CWE identifiers. Results can be formatted as text, JSON, CSV, JUnit XML, SARIF, or HTML. ## Self-Hosting & Configuration - Install as a single binary via `go install` or download from GitHub releases - Run against any Go module with `gosec ./...` for recursive scanning - Exclude rules with `-exclude=G104` or include specific ones with `-include=G101,G201` - Add `//nosec` comments to suppress known false positives on specific lines - Integrate with GitHub Actions, GitLab CI, or any CI system using JSON/SARIF output ## Key Features - 30+ security rules covering OWASP Top 10 patterns in Go code - CWE mapping for each finding enables compliance and tracking workflows - SARIF output integrates with GitHub Code Scanning and VS Code problem panels - Configurable severity and confidence thresholds for filtering noise - Supports scanning Go modules, vendored dependencies, and test files ## Comparison with Similar Tools - **Semgrep** — multi-language static analysis with custom rules; gosec is Go-specific with deeper understanding of Go idioms - **staticcheck** — focuses on Go correctness and style; gosec focuses specifically on security vulnerabilities - **golangci-lint** — meta-linter that can run gosec as one of many linters in a unified pipeline - **CodeQL** — powerful semantic analysis by GitHub; gosec is simpler to set up and faster for Go-only security scanning ## FAQ **Q: How do I handle false positives?** A: Add `//nosec G101` comments on specific lines to suppress individual findings, or use `-exclude` flags to disable rules globally that generate noise in your codebase. **Q: Does gosec analyze third-party dependencies?** A: Gosec scans source code in your module tree. For vulnerability scanning of dependency versions, pair it with tools like OSV-Scanner or govulncheck. **Q: Can I write custom rules?** A: Gosec supports custom rule development by implementing the Rule interface and registering it with the analyzer, though this requires modifying the gosec source. **Q: How does gosec compare to govulncheck?** A: Govulncheck finds known CVEs in dependencies via the Go vulnerability database. Gosec finds security anti-patterns in your own source code. They are complementary tools. ## Sources - https://github.com/securego/gosec - https://securego.io/ --- Source: https://tokrepo.com/en/workflows/asset-8a5c831d Author: Script Depot