Go Security

Open-source Go projects categorized as Security

Top 23 Go Security Projects

  • Caddy

    Fast and extensible multi-platform HTTP/1-2-3 web server with automatic HTTPS

    Project mention: New feature: HTTPS support for bpo | reddit.com/r/perl | 2022-11-30

    Rather the answer was to use Caddy as a frontend, because Go programs are statically linked and because Go has its own proven crypto, which together make the creaky platform irrelevant.

  • Lean and Mean Docker containers

    DockerSlim (docker-slim): Don't change anything in your Docker container image and minify it by up to 30x (and for compiled languages even more) making it secure too! (free and open source)

    Project mention: Standard container sizes | reddit.com/r/kubernetes | 2022-11-11

    Anyone tried using https://github.com/docker-slim/docker-slim To minify an image?..

  • Scout APM

    Truly a developer’s best friend. Scout APM is great for developers who want to find and fix performance issues in their applications. With Scout, we'll take care of the bugs so you can focus on building great things 🚀.

  • trivy

    Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more

    Project mention: Is OPA Gatekeeper the best solution for writing policies for k8s clusters? | reddit.com/r/kubernetes | 2022-11-10
  • authelia

    The Single Sign-On Multi-Factor portal for web apps

    Project mention: A way for the users to connect to all services seamlesly ? | reddit.com/r/unRAID | 2022-11-29
  • cilium

    eBPF-based Networking, Security, and Observability

    Project mention: Go based eBPF projects | reddit.com/r/golang | 2022-11-27

    Cilium : Container networking based. It is the torch-bearer of eBPF

  • Ory Hydra

    OpenID Certified™ OpenID Connect and OAuth Provider written in Go - cloud native, security-first, open source API security for your infrastructure. SDKs for any language. Works with Hardware Security Modules. Compatible with MITREid.

    Project mention: Show HN: Open-source OAuth2 server Ory Hydra v2.0 | reddit.com/r/hypeurls | 2022-11-03
  • Gravitational Teleport

    The easiest, most secure way to access infrastructure.

    Project mention: Apache Guacamole (or other) to browse internal web-GUIs? | reddit.com/r/homelab | 2022-11-27

    Dunno if Teleport does it. I've been meaning to deploy it for a while and will be looking in getting it in soon. https://github.com/gravitational/teleport

  • SonarQube

    Static code analysis for 29 languages.. Your projects are multi-language. So is SonarQube analysis. Find Bugs, Vulnerabilities, Security Hotspots, and Code Smells so you can release quality code every time. Get started analyzing your projects today for free.

  • age

    A simple, modern and secure encryption tool (and Go library) with small explicit keys, no config options, and UNIX-style composability.

    Project mention: Secure E2E File Transfer Product Needed | reddit.com/r/AskNetsec | 2022-11-29

    send them a link to a binary release of age; https://github.com/FiloSottile/age/releases/tag/v1.0.0 has binary releases for 4 desktop/server platforms

  • bettercap

    The Swiss Army knife for 802.11, BLE, IPv4 and IPv6 networks reconnaissance and MITM attacks.

    Project mention: PAW-GPS issue - "skipping event 'handshake' because the worker is busy" | reddit.com/r/pwnagotchi | 2022-07-12

    Here's my config.toml for reference (ai is disabled because of issues with bettercap trying to switch to disabled channels, see https://github.com/bettercap/bettercap/issues/881 )

  • sops

    Simple and flexible tool for managing secrets

    Project mention: Ensure that an ansible secrets.yml is never committed unencrypted | reddit.com/r/devops | 2022-11-23

    Use either Mozilla SOPS to encrypt the values in the file, or got-encrypt to encrypt the whole repo

  • gitleaks

    Protect and discover secrets using Gitleaks 🔑

    Project mention: GitHub Access Token Exposure | news.ycombinator.com | 2022-11-20
  • nuclei

    Fast and customizable vulnerability scanner based on simple YAML based DSL.

    Project mention: Thoughts on Vuln scanning public facing websites/hosts during an incident? | reddit.com/r/blueteamsec | 2022-08-17

    Had an idea to leverage the community vuln scanner Nuclei (https://nuclei.projectdiscovery.io/) to just run a quick scan against the public facing hostname/IP. The job isn't supposed to be "hey you're vulnerable to xyz, but to aid in the discovering initial access. I believe this would be considered "good faith" and you're not technically be doing anything nefarious, but wanted to get the communities thoughts on this.

  • vuls

    Agent-less vulnerability scanner for Linux, FreeBSD, Container, WordPress, Programming language libraries, Network devices

    Project mention: Scan for vulnerabilities? | reddit.com/r/debian | 2022-08-23
  • gophish

    Open-Source Phishing Toolkit

    Project mention: "Scam Defense" training? | reddit.com/r/Scams | 2022-10-23
  • chezmoi

    Manage your dotfiles across multiple diverse machines, securely.

    Project mention: How to manage dotfiles and organize it effectively? | reddit.com/r/linux4noobs | 2022-11-15

    i use a tool called chezmoi. it has an apply mechanism that just copies files to the proper location. it also uses go templates to manage different host/OS configurations.

  • kubescape

    Kubescape is a K8s open-source tool providing a multi-cloud K8s single pane of glass, including risk analysis, security compliance, RBAC visualizer and image vulnerabilities scanning.

    Project mention: How to validate Kubernetes YAML files? | dev.to | 2022-10-20

    New security controls are something you should incorporate into your security validation steps. Kubescape, an open-source platform by AMRO, allows you to define your own framework of controls. Even though the out-of-the-box framework is robust, you will see your policy controls take shape per the exact needs of your business and Kubernetes resources.

  • gosec

    Golang security checker

    Project mention: Goast: Generic static analysis for Go Abstract Syntax Tree by OPA/Rego | dev.to | 2022-09-12

    Various static analysis tools are available for the Go language, and existing static analysis tools can check general best practices. For example, gosec is a tool to check secure Go coding, and I use it myself. However, coding rules in software development are not only based on best practices, but can also be software- or team-specific. For example

  • Blackbox

    Safely store secrets in Git/Mercurial/Subversion

    Project mention: We have this many ".env" files in a project at work. Is this normal? Is there a better way? | reddit.com/r/webdev | 2022-06-16

    My preferred version is blackbox: https://github.com/StackExchange/blackbox

  • crowdsec

    CrowdSec - the open-source and participative IPS able to analyze visitor behavior & provide an adapted response to all kinds of attacks. It also leverages the crowd power to generate a global CTI database to protect the user network.

    Project mention: What service can I use to ban users? | reddit.com/r/webdev | 2022-11-18

    You should check out https://crowdsec.net. More advanced, uses crowdsources cti to block attacks even before they happen. Also both nginx and captcha is supported. Disclaimer: I am head of community. Visit /r/CrowdSec or our Discord at https://discord.gg/crowdsec if you have questions :-)

  • lego

    Let's Encrypt/ACME client and library written in Go

    Project mention: Anyone know of a decent enterprise linux crash course? | reddit.com/r/sysadmin | 2022-11-01

    Yes, for a lot of stuff, we typically either use some wildcard certs or letsencrypt issued certs. Personally I've been moving away from certbot to softare that has it built-in (i.e. Caddy server) or use go-acme/lego. The reason I've stopped using certbot is that they've switched to only publishing snap packages. I don't use snap in prod.

  • Netmaker

    Netmaker makes networks with WireGuard. Netmaker automates fast, secure, and distributed virtual networks.

    Project mention: 0.17.0 in Pre-Release | reddit.com/r/netmaker | 2022-11-30
  • tfsec

    Security scanner for your Terraform code

    Project mention: My Cloud Resume Challenge Journey | dev.to | 2022-11-30

    Once I completed the main steps of the challenge, I went back to do some security modificaions including enabled DNSSEC, deploying WAF (I ended up removing this as the costs were quite high and instead set up account level throttling for my API) and running IAM Access Analyser to flag anything I'd over permissioned. I also set up Git commit signing and added a new Git Action workflow to run Tfsec any time I updated my terraform config files

  • gopass

    The slightly more awesome standard unix password manager for teams

    Project mention: Tool / workflow recommendations for the terminal | reddit.com/r/commandline | 2022-10-19

    I wrote my own secret manager: safe. It stores your secrets as encrypted files on your disk (like pass and gopass), and is accessible from the command line. It differs from them in that you only need a master password to use it (so no GPG keys to manage). It comes with an agent (like ssh-agent) that can store your encryption key in memory to avoid typing your master password over and over.

  • InfluxDB

    Build time-series-based applications quickly and at scale.. InfluxDB is the Time Series Data Platform where developers build real-time applications for analytics, IoT and cloud-native services in less time with less code.

NOTE: The open source projects on this list are ordered by number of github stars. The number of mentions indicates repo mentiontions in the last 12 Months or since we started tracking (Dec 2020). The latest post mention was on 2022-11-30.

Go Security related posts


What are some of the best open-source Security projects in Go? This list will help you:

Project Stars
1 Caddy 44,433
2 Lean and Mean Docker containers 15,525
3 trivy 15,012
4 authelia 14,760
5 cilium 13,620
6 Ory Hydra 13,468
7 Gravitational Teleport 13,133
8 age 12,144
9 bettercap 12,059
10 sops 11,391
11 gitleaks 11,231
12 nuclei 10,667
13 vuls 9,640
14 gophish 8,360
15 chezmoi 8,017
16 kubescape 7,302
17 gosec 6,445
18 Blackbox 6,370
19 crowdsec 5,800
20 lego 5,732
21 Netmaker 5,646
22 tfsec 5,354
23 gopass 4,935
The context switching struggle is real
Zigi makes context switching a thing of the past. It monitors Jira and GitHub updates, pings you when PRs need approval and lets you take fast actions - all directly from Slack!