gosec | go-tools | |
---|---|---|
22 | 19 | |
7,872 | 6,236 | |
0.9% | - | |
9.0 | 8.8 | |
1 day ago | about 1 month ago | |
Go | Go | |
Apache License 2.0 | MIT License |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
gosec
-
Top 10 Code Security Tools
Source
-
About the gosec G115 drama, or how I faced back integer conversion overflow in Go
Because of this, gosec a linter focused on improving the security in Go, provided a linter to detect the issue: the linter G115
-
Secure Randomness in Go 1.22
For those unaware, gosec (and by extension golangci-lint) will warn about uses of `math/rand`
https://github.com/securego/gosec/blob/d3b2359ae29fe344f4df5...
-
Top 10 Snyk Alternatives for Code Security
6. Gosec
-
Safety in Go
You can (and definitely should!) also use gosec.
-
We have getrandom at home
The crypto source in Go is great, no complaints there. Lints like gosec even recommend using it when generating crypto entropy. Go did a good job here, and I expect Rust will do the same sometime after getrandom reaches 1.0 so the API questions are settled, plus whatever makes sense for the future-proofing the standard library needs.
-
any open source that checks security vulnerabilities in code?
i think there's https://github.com/securego/gosec linter
-
Goast: Generic static analysis for Go Abstract Syntax Tree by OPA/Rego
Various static analysis tools are available for the Go language, and existing static analysis tools can check general best practices. For example, gosec is a tool to check secure Go coding, and I use it myself. However, coding rules in software development are not only based on best practices, but can also be software- or team-specific. For example
-
Vulnerability Management for Go
What's the difference between this a https://github.com/securego/gosec?
-
Github template for Golang services
A github actions workflow is provided to run go fmt, vet, test and gosec. An initial configuration for dependabot is also provided.
go-tools
- Ask HN: What are some interesting tools or code repos you discovered recently
-
Gopher Pythonista #1: Moving From Python To Go
Another useful tool in Go is the go vet command, which helps to identify common coding mistakes such as unreachable code or useless comparisons. In addition, external linters like staticcheck can be used to detect bugs and performance issues with ease.
-
Find project-wide unused code using Golang's LSP
For the last year or so (as of 2023) Golang has only had one active project for linting unused code, namely: unused from https://github.com/dominikh/go-tools. It works really well, but only within a package, not across packages, like within a traditional monolith. unused used to be part of another project called staticcheck, that did indeed have a flag for detecting project-wide unused code, but that is no longer supported. There are good reasons for that (see this Github discussion), mainly that it's computationally expensive.
-
Why tf golang let's you create maps with duplicated keys
To a degree, sure. It can't pick it up in general, because of the halting problem. But some trivial cases could be caught. Feel free to write such a linter, I'm sure Dominik would gladly merge it, for example.
-
Tools besides Go for a newbie
IDE: use whatever make you productive. I personally use vscode. VCS: git, as golang communities use github heavily as base for many libraries. AFAIK Linter: use staticcheck for linting as it looks like mostly used linting tool in go, supported by many also. In Vscode it will be recommended once you install go plugin. Libraries/Framework: actually the standard libraries already included many things you need, decent enough for your day-to-day development cycles(e.g. `net/http`). But here are things for extra: - Struct fields validator: validator - Http server lib: chi router , httprouter , fasthttp (for non standard http implementations, but fast) - Web Framework: echo , gin , fiber , beego , etc - Http client lib: most already covered by stdlib(net/http), so you rarely need extra lib for this, but if you really need some are: resty - CLI: cobra - Config: godotenv , viper - DB Drivers: sqlx , postgre , sqlite , mysql - nosql: redis , mongodb , elasticsearch - ORM: gorm , entgo , sqlc(codegen) - JS Transpiler: gopherjs - GUI: fyne - grpc: grpc - logging: zerolog - test: testify , gomock , dockertest - and many others you can find here
-
New linter for mixing pointer and value method receivers
Also proposal to staticcheck, will see if it goes through! https://github.com/dominikh/go-tools/issues/1337
-
this result of append is never used, except maybe in other appends (SA4010)
This is the first result for that error in google. The comment in that issue explains it. You're building two array's c_code, and c_start_date which are built and then never read or returned or otherwise used.
-
Zig, the Small Language
This really irritated me when I started working with go, but it stopped bothering me and now I even mostly like it.
The missing error checks are annoying, but if you have appropriate editor config it is hard to miss them: https://cdn.billmill.org/static/newsyctmp/warning.png
Basically writing go without `staticcheck`[1] is not recommended. If you do have it set up, it's pretty easy to avoid simple errors like that.
[1]: https://staticcheck.io/
-
Our experience upgrading from go v1.17 to v1.18 for generics
However, recently [per this issue](https://github.com/dominikh/go-tools/issues/1270) it is safe to re-enable the ones I highlighted with strikethrough above. I would be interested in tracking issues for the remainder if you have those linked somewhere.
-
What are your strategies to prevent nil pointers errors in your code base?
Unfortunately I don't know of any tools that can/do always detect it. There's this discussion for the staticcheck linter where they basically don't think it's worth false positives in order to support it a lint for it.
What are some alternatives?
golangci-lint - Fast linters runner for Go
revive - 🔥 ~6x faster, stricter, configurable, extensible, and beautiful drop-in replacement for golint
gokart - A static analysis tool for securing Go code
pre-commit-golang - Pre-commit hooks for Golang with support for monorepos, the ability to pass arguments and environment variables to all hooks, and the ability to invoke custom go tools.
ls-lint - An extremely fast directory and filename linter - Bring some structure to your project filesystem
docker-bench-security - The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production.
gofumpt - A stricter gofmt
rustsec - RustSec API & Tooling
GNU/Emacs go-mode - Emacs mode for the Go programming language
gokart-action - Integrate GoKart security static analysis to GitHub Actions
mopa - MOPA: My Own Personal Any. A macro to implement all the `Any` methods on your own trait.