Gosec — Security Scanner for Go Source Code

Introduction

Gosec (Go Security Checker) performs static analysis on Go source code to find security vulnerabilities. It parses Go AST to identify patterns that commonly lead to exploitable bugs: SQL injection, command injection, hardcoded secrets, weak cryptography, insecure file permissions, and unvalidated input. Teams use it in CI pipelines to catch security issues before code reaches production.

What Gosec Does

• Scans Go source code AST for security anti-patterns and vulnerability indicators
• Detects SQL injection via string concatenation in database queries
• Identifies hardcoded credentials, API keys, and secret material in source files
• Flags insecure use of cryptographic primitives (weak ciphers, small key sizes)
• Reports issues with severity and confidence levels for prioritized remediation

Architecture Overview

Gosec loads Go packages using the standard go/packages loader, then walks the abstract syntax tree of each file. A set of rule analyzers (each identified by a G-number like G101, G201) inspect specific AST patterns. Rules are categorized by vulnerability class and can be individually enabled or disabled. The scanner outputs findings with file locations, severity ratings, and CWE identifiers. Results can be formatted as text, JSON, CSV, JUnit XML, SARIF, or HTML.

Self-Hosting & Configuration

• Install as a single binary via go install or download from GitHub releases
• Run against any Go module with gosec ./... for recursive scanning
• Exclude rules with -exclude=G104 or include specific ones with -include=G101,G201
• Add //nosec comments to suppress known false positives on specific lines
• Integrate with GitHub Actions, GitLab CI, or any CI system using JSON/SARIF output

Key Features

• 30+ security rules covering OWASP Top 10 patterns in Go code
• CWE mapping for each finding enables compliance and tracking workflows
• SARIF output integrates with GitHub Code Scanning and VS Code problem panels
• Configurable severity and confidence thresholds for filtering noise
• Supports scanning Go modules, vendored dependencies, and test files

Comparison with Similar Tools

• Semgrep — multi-language static analysis with custom rules; gosec is Go-specific with deeper understanding of Go idioms
• staticcheck — focuses on Go correctness and style; gosec focuses specifically on security vulnerabilities
• golangci-lint — meta-linter that can run gosec as one of many linters in a unified pipeline
• CodeQL — powerful semantic analysis by GitHub; gosec is simpler to set up and faster for Go-only security scanning

FAQ

Q: How do I handle false positives? A: Add //nosec G101 comments on specific lines to suppress individual findings, or use -exclude flags to disable rules globally that generate noise in your codebase.

Q: Does gosec analyze third-party dependencies? A: Gosec scans source code in your module tree. For vulnerability scanning of dependency versions, pair it with tools like OSV-Scanner or govulncheck.

Q: Can I write custom rules? A: Gosec supports custom rule development by implementing the Rule interface and registering it with the analyzer, though this requires modifying the gosec source.

Q: How does gosec compare to govulncheck? A: Govulncheck finds known CVEs in dependencies via the Go vulnerability database. Gosec finds security anti-patterns in your own source code. They are complementary tools.

Sources

• https://github.com/securego/gosec
• https://securego.io/