Go security-tools

Open-source Go projects categorized as security-tools

Top 23 Go security-tool Projects

  • trivy

    Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more

    Project mention: Friends - needs help choosing solution for SBOM vulnerability | /r/devops | 2023-06-01
  • zincsearch

    ZincSearch . A lightweight alternative to elasticsearch that requires minimal resources, written in Go.

    Project mention: OpenObserve: Elasticsearch/Datadog alternative in Rust.. 140x lower storage cost | news.ycombinator.com | 2023-06-11

    Please give the benefit of the doubt on HN.

    This company created ZincSearch:


    Prabhat is one of the core contributors/maintainers:



    Also the negative insinuation of using “cheap” labor out of India to build the product is unnecessary. If you’re concerned about code quality, look at the code.

    Assuming everyone working with devs in India is doing so cynically is not charitable.

    I dont know why the headquarters was set as india versus SF but does it actually even matter?

  • Mergify

    Updating dependencies is time-consuming.. Solutions like Dependabot or Renovate update but don't merge dependencies. You need to do it manually while it could be fully automated! Add a Merge Queue to your workflow and stop caring about PR management & merging. Try Mergify for free.

  • gitleaks

    Protect and discover secrets using Gitleaks 🔑

    Project mention: Go Security Scanner | /r/golang | 2023-06-08

    Cool. What features/capabilities are different compared to gitleaks?

  • trufflehog

    Find and verify credentials

    Project mention: Seeking help to identify vulnerabilities and secrets in a website backup file | /r/HowToHack | 2023-07-03


  • vuls

    Agent-less vulnerability scanner for Linux, FreeBSD, Container, WordPress, Programming language libraries, Network devices

  • gosec

    Golang security checker

    Project mention: Top 10 Snyk Alternatives for Code Security | dev.to | 2023-08-31

    6. Gosec

  • sliver

    Adversary Emulation Framework

    Project mention: With VPN's such as Twin Gate and TailScale, why open ports to expose services to the internet? | /r/selfhosted | 2023-07-05

    IDK if you are too young to remember the fallout from Snowden, but the Kremlin threw out entire rooms computers and for a time used actual typewriters. Because those computers had, more or less, twingate connectors on them. That's a bit of a rich example, but you're essentially installing what sliver calls an implant, what meterpreter calls a payload, and what Cobalt Strike calls a beacon. It's cool if you want to, but there's no need when you can just open a port with the same technology a Fortune 50 does.

  • InfluxDB

    Collect and Analyze Billions of Data Points in Real Time. Manage all types of time series data in a single, purpose-built database. Run at any scale in any environment in the cloud, on-premises, or at the edge.

  • traitor

    :arrow_up: :skull_and_crossbones: :fire: Automatic Linux privesc via exploitation of low-hanging fruit e.g. gtfobins, pwnkit, dirty pipe, +w docker.sock

    Project mention: Traitor – Automatic Linux privesc via exploitation of low-hanging fruits | news.ycombinator.com | 2023-06-12
  • certificates

    🛡️ A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH.

    Project mention: Running one’s own root Certificate Authority in 2023 | news.ycombinator.com | 2023-09-16
  • syzkaller

    syzkaller is an unsupervised coverage-guided kernel fuzzer

    Project mention: Fuzz Testing Is the Best Thing to Happen to Our Application Tests | news.ycombinator.com | 2023-08-17

    The key to modern fuzzing is feedback, usually some kind of coverage testing of the program under test. This allows the fuzzer to be much smarter about how it finds new code paths, and makes fuzzing find bugs a lot quicker.

    Google have a project to do fuzzing on Linux system calls using coverage feedback: https://github.com/google/syzkaller

  • osmedeus

    A Workflow Engine for Offensive Security

    Project mention: osmedeus - workflow engine for network osint | /r/OSINT | 2023-03-25
  • Modlishka

    Modlishka. Reverse Proxy.

  • terrascan

    Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.

    Project mention: How are you securing your Azure DevOps IaC pipelines? | /r/AZURE | 2023-05-26

    Terrascan could also be useful : https://github.com/tenable/terrascan

  • scan4all

    Official repository vuls Scan: 15000+PoCs; 23 kinds of application password crack; 7000+Web fingerprints; 146 protocols and 90000+ rules Port scanning; Fuzz, HW, awesome BugBounty( ͡° ͜ʖ ͡°)...

  • spicedb

    Open Source, Google Zanzibar-inspired fine-grained permissions database

    Project mention: How do you manage transactions in Go? Do we really need to use one transaction for each request? | /r/golang | 2023-06-02

    Have you taken a look at SpiceDB? The Authzed blog has a few posts that are useful to improving your understanding -- I can think of two: New Enemies and Writing relationships to SpiceDB.

  • Cameradar

    Cameradar hacks its way into RTSP videosurveillance cameras

    Project mention: Hacking ip cameras | /r/Hacking_Tutorials | 2023-04-29

    You might want to try this tool https://github.com/Ullaakut/cameradar , as most of the webcams are based on RTSP( Real-Time Streaming Protocol ) protocol.

  • cli

    🧰 A zero trust swiss army knife for working with X509, OAuth, JWT, OATH OTP, etc. (by smallstep)

    Project mention: Running one’s own root Certificate Authority in 2023 | news.ycombinator.com | 2023-09-16
  • SecretScanner

    :unlock: :unlock: Find secrets and passwords in container images and file systems :unlock: :unlock:

    Project mention: Securing the software supply chain in the cloud | dev.to | 2022-12-10


  • dockle

    Container Image Linter for Security, Helping build the Best-Practice Docker Image, Easy to start

  • ContainerSSH

    ContainerSSH: Launch containers on demand

    Project mention: Ask HN: Tell us about your project that's not done yet but you want feedback on | news.ycombinator.com | 2023-08-16

    - Build your own honeypot with ContainerSSH (DevConf CZ 2021) [4]

    [1]: https://containerssh.io

  • Stowaway

    👻Stowaway -- Multi-hop Proxy Tool for pentesters

    Project mention: Stowaway -- Multi-hop Proxy Tool for pentesters | /r/cybersecurity | 2023-09-11
  • gokart

    A static analysis tool for securing Go code

  • ksubdomain


  • SonarLint

    Clean code begins in your IDE with SonarLint. Up your coding game and discover issues early. SonarLint is a free plugin that helps you find & fix bugs and security issues from the moment you start writing code. Install from your favorite IDE marketplace today.

NOTE: The open source projects on this list are ordered by number of github stars. The number of mentions indicates repo mentiontions in the last 12 Months or since we started tracking (Dec 2020). The latest post mention was on 2023-09-16.

Go security-tools related posts


What are some of the best open-source security-tool projects in Go? This list will help you:

Project Stars
1 trivy 18,706
2 zincsearch 15,443
3 gitleaks 13,848
4 trufflehog 12,059
5 vuls 10,258
6 gosec 7,093
7 sliver 6,540
8 traitor 6,201
9 certificates 5,608
10 syzkaller 4,842
11 osmedeus 4,683
12 Modlishka 4,419
13 terrascan 4,218
14 scan4all 4,000
15 spicedb 3,850
16 Cameradar 3,495
17 cli 3,242
18 SecretScanner 2,825
19 dockle 2,478
20 ContainerSSH 2,410
21 Stowaway 2,165
22 gokart 2,119
23 ksubdomain 1,976
Clean code begins in your IDE with SonarLint
Up your coding game and discover issues early. SonarLint is a free plugin that helps you find & fix bugs and security issues from the moment you start writing code. Install from your favorite IDE marketplace today.