SkillAgentSearch skills...

Gosec

Go security checker

GenerateConvertImprove

Install / Use

/learn @securego/Gosec
About this skill

Quality Score

0/100

Supported Platforms

Universal

README

gosec - Go Security Checker

Inspects source code for security problems by scanning the Go AST and SSA code representation.

<img src="https://securego.io/img/gosec.png" width="320">

Quick links

⚠️ Container image migration notice: gosec images was migrated from Docker Hub to ghcr.io/securego/gosec. Starting with release v2.24.7 the image is no longer published in Docker Hub.

Features

  • Pattern-based rules for detecting common security issues in Go code
  • SSA-based analyzers for type conversions, slice bounds, and crypto issues
  • Taint analysis for tracking data flow from user input to dangerous functions (SQL injection, command injection, path traversal, SSRF, XSS, log injection)

License

Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with the License. You may obtain a copy of the License here.

Project status

CII Best Practices Build Status Coverage Status GoReport GoDoc Docs Downloads GHCR Slack go-recipes

Installation

GitHub Action

You can run gosec as a GitHub action as follows:

Use the versioned tag with @master which is pinned to the latest stable release. This will provide a stable behavior.

name: Run Gosec
on:
  push:
    branches:
      - master
  pull_request:
    branches:
      - master
jobs:
  tests:
    runs-on: ubuntu-latest
    env:
      GO111MODULE: on
    steps:
      - name: Checkout Source
        uses: actions/checkout@v3
      - name: Run Gosec Security Scanner
        uses: securego/gosec@master
        with:
          args: ./...

Scanning Projects with Private Modules

If your project imports private Go modules, you need to configure authentication so that gosec can fetch the dependencies. Set the following environment variables in your workflow:

  • GOPRIVATE: A comma-separated list of module path prefixes that should be considered private (e.g., github.com/your-org/*).
  • GITHUB_AUTHENTICATION_TOKEN: A GitHub token with read access to your private repositories.
name: Run Gosec
on:
  push:
    branches:
      - master
  pull_request:
    branches:
      - master
jobs:
  tests:
    runs-on: ubuntu-latest
    env:
      GO111MODULE: on
      GOPRIVATE: github.com/your-org/*
      GITHUB_AUTHENTICATION_TOKEN: ${{ secrets.PRIVATE_REPO_TOKEN }}
    steps:
      - name: Checkout Source
        uses: actions/checkout@v3
      - name: Run Gosec Security Scanner
        uses: securego/gosec@v2
        with:
          args: ./...

Integrating with code scanning

You can integrate third-party code analysis tools with GitHub code scanning by uploading data as SARIF files.

The workflow shows an example of running the gosec as a step in a GitHub action workflow which outputs the results.sarif file. The workflow then uploads the results.sarif file to GitHub using the upload-sarif action.

name: "Security Scan"

# Run workflow each time code is pushed to your repository and on a schedule.
# The scheduled workflow runs every at 00:00 on Sunday UTC time.
on:
  push:
  schedule:
  - cron: '0 0 * * 0'

jobs:
  tests:
    runs-on: ubuntu-latest
    env:
      GO111MODULE: on
    steps:
      - name: Checkout Source
        uses: actions/checkout@v3
      - name: Run Gosec Security Scanner
        uses: securego/gosec@v2
        with:
          # we let the report trigger content trigger a failure using the GitHub Security features.
          args: '-no-fail -fmt sarif -out results.sarif ./...'
      - name: Upload SARIF file
        uses: github/codeql-action/upload-sarif@v2
        with:
          # Path to SARIF file relative to the root of the repository
          sarif_file: results.sarif

Go Analysis

The goanalysis package provides a golang.org/x/tools/go/analysis.Analyzer for integration with tools that support the standard Go analysis interface, such as Bazel's nogo framework:

nogo(
    name = "nogo",
    deps = [
        "@com_github_securego_gosec_v2//goanalysis",
        # add more analyzers as needed
    ],
    visibility = ["//visibility:public"],
)

Local Installation

gosec requires Go 1.25 or newer.

go install github.com/securego/gosec/v2/cmd/gosec@latest

Quick start

# Scan all packages in current module
gosec ./...

# Write JSON report
gosec -fmt json -out results.json ./...

# Write SARIF report for code scanning
gosec -fmt sarif -out results.sarif ./...

Exit codes

  • 0: scan finished without unsuppressed findings/errors
  • 1: at least one unsuppressed finding or processing error
  • Use -no-fail to always return 0

Usage

Gosec can be configured to only run a subset of rules, to exclude certain file paths, and produce reports in different formats. By default all rules will be run against the supplied input files. To recursively scan from the current directory you can supply ./... as the input argument.

Available rules

gosec includes rules across these categories:

  • G1xx: general secure coding issues (for example hardcoded credentials, unsafe usage, HTTP hardening, cookie security)
  • G2xx: injection risks in query/template/command construction
  • G3xx: file and path handling risks (permissions, traversal, temp files, archive extraction)
  • G4xx: crypto and TLS weaknesses
  • G5xx: blocklisted imports
  • G6xx: Go-specific correctness/security checks (for example range aliasing and slice bounds)
  • G7xx: taint analysis rules (SQL injection, command injection, path traversal, SSRF, XSS, log, SMTP injection, SSTI and unsafe deserialization)

For the full list, rule descriptions, and per-rule configuration, see RULES.md.

Retired rules

  • G105: Audit the use of math/big.Int.Exp - CVE is fixed
  • G307: Deferring a method which returns an error - causing more inconvenience than fixing a security issue, despite the details from this blog post

Selecting rules

By default, gosec will run all rules against the supplied file paths. It is however possible to select a subset of rules to run via the -include= flag, or to specify a set of rules to explicitly exclude using the -exclude= flag.

# Run a specific set of rules
$ gosec -include=G101,G203,G401 ./...

# Run everything except for rule G303
$ gosec -exclude=G303 ./...

CWE Mapping

Every issue detected by gosec is mapped to a CWE (Common Weakness Enumeration) which describes in more generic terms the vulnerability. The exact mapping can be found here.

Configuration

A number of global settings can be provided in a configuration file as follows:

{
    "global": {
        "nosec": "enabled",
        "audit": "enabled"
    }
}
  • nosec: this setting will overwrite all #nosec directives defined throughout the code base
  • audit: runs in audit mode which enables addition checks that for normal code analysis might be too nosy
# Run with a global configuration file
$ gosec -conf config.json .

Path-Based Rule Exclusions

Large repositories with multiple components may need different security rules for different paths. Use exclude-rules to suppress specific rules for specific paths.

Configuration File:

{
  "exclude-rules": [
    {
      "path": "cmd/.*",
      "rules": ["G204", "G304"]
    },
    {
      "path": "scripts/.*",
      "rules": ["*"]
    }
  ]
}

CLI Flag:

# Exclude G204 and G304 from cmd/ directory
gosec --exclude-rules="cmd/.*:G204,G304" ./...

# Exclude all rules from scripts/ directory  
gosec --exclude-rules="scripts/.*:*" ./...

# Multiple exclusions
gosec --exclude-rules="cmd/.*:G204,G304;test/.*:G101" ./...

| Field | Type | Description | |-------|------|-------------| | path | string (regex) | Regular expression matched against file paths | | rules | []string | Rule IDs to exclude. Use * to exclude all rules |

Rule Configuration

Some rules accept configuration flags as well; these flags are documented in [RULES.md](https://github.com/secure

securego

View profile

View on GitHub
GitHub Stars8.7k
CategoryDevelopment
Updated16h ago
Forks689
securego/gosec

Languages

Go

Security Score

95/100

Audited on Mar 24, 2026

No findings