SaaSHub helps you find the best software and product alternatives Learn more →
Top 23 Go Static Analysis Projects
-
Project mention: Dockerfile Best Practices: Building Efficient and Secure Containers | dev.to | 2024-08-16
Regularly scan your Docker images for vulnerabilities using tools like Trivy or Clair.
-
InfluxDB
InfluxDB – Built for High-Performance Time Series Workloads. InfluxDB 3 OSS is now GA. Transform, enrich, and act on time series data directly in the database. Automate critical tasks and eliminate the need to move data externally. Download now.
-
-
reviewdog
🐶 Automated code review tool integrated with any code analysis tools regardless of programming language
Project mention: Supply Chain Attack on Reviewdog GitHub Actions | news.ycombinator.com | 2025-03-20 -
Source
-
syft
CLI tool and library for generating a Software Bill of Materials from container images and filesystems
Syft (https://github.com/anchore/syft) and ScanCode (https://github.com/aboutcode-org/scancode-toolkit) are good open-source tools to generate SBOMs and search repos for licensing information — I'm curious to hear if there are reasons why those wouldn't work for enterprise purposes.
-
Project mention: Mastering DevSecOps and GitOps for Secure Cloud-Native Applications | dev.to | 2025-06-17
Trivy (https://aquasecurity.github.io/trivy/) is a popular open-source vulnerability scanner for containers and other artifacts.
-
-
Stream
Stream - Scalable APIs for Chat, Feeds, Moderation, & Video. Stream helps developers build engaging apps that scale to millions with performant and flexible Chat, Feeds, Moderation, and Video APIs and SDKs powered by a global edge network and enterprise-grade infrastructure.
-
-
revive
🔥 ~6x faster, stricter, configurable, extensible, and beautiful drop-in replacement for golint
The Uber page does a pretty good job of summing it up. The only thing I'd add is that there has been a little bit of effort to reduce footguns since they've posted this article; as one example, the issue with accidentally capturing range for variables is now fixed in the language[1]. On top of having a built-in race detector since 1.1 and runtime concurrent map access detection since 1.6, Go is also adding more tools to make testing concurrent code easier, which should also help ensure potentially racy code is at least tested[2]. Accidentally capturing named return values is now caught by a popular linting tool[3]. There is also gVisor's checklocks analyzer, which, with the help of annotations, can catch many misuses of mutexes and data protected by mutexes[4]. (This would be a lot nicer as a language feature, but oh well.)
I don't know if I'd evangelize for adopting Go on the scale that Uber has: I think Go works best for shared-nothing architectures and gets gradually less compelling as you dig into more complex concurrency. That said, since Uber is an early adopter, there is a decent chance that what they have learned will help future organizations avoid repeating some of the same issues, via improvements to tooling and the language.
[1]: https://go.dev/blog/loopvar-preview
[2]: https://go.dev/blog/synctest
[3]: https://github.com/mgechev/revive/blob/HEAD/RULES_DESCRIPTIO...
[4]: https://pkg.go.dev/gvisor.dev/gvisor/tools/checklocks
-
-
Yep, the ecosystem doesn't support anything like it and a lot of Go people are downright hostile towards this solution :)
You could also try your luck with https://github.com/uber-go/nilaway
-
kube-linter
KubeLinter is a static analysis tool that checks Kubernetes YAML files and Helm charts to ensure the applications represented in them adhere to best practices.
-
bearer
Code security scanning tool (SAST) to discover, filter and prioritize security and privacy risks.
Project mention: 🛡️ Scan and Protect Any App in 5 Minutes with Bearer CLI (SAST for Everyone) | dev.to | 2025-04-20🧰 GitHub Repository: https://github.com/Bearer/bearer
-
horusec
Horusec is an open source tool that improves identification of vulnerabilities in your project with just one command.
Horusec GitHub
-
-
Project mention: 🐶 Secure Your CI Pipeline in Minutes with HuskyCI (SAST for Multiple Languages) huskyci | dev.to | 2025-04-25
git clone https://github.com/globocom/huskyCI.git cd huskyCI
-
-
-
globstar
Globstar is a fast, feature-rich, and open-source static analysis toolkit for writing and running code checkers. Based on tree-sitter.
-
-
bodyclose
Analyzer: checks whether HTTP response body is closed and a re-use of TCP connection is not blocked.
-
regal
Regal is a linter and language server for Rego, bringing your policy development experience to the next level! (by StyraInc)
-
-
SaaSHub
SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives
Go Static Analysis discussion
Go Static Analysis related posts
-
🛡️ Secure, Lint, and Validate Your Terraform Like a Pro
-
Globstar: Open-source static analysis toolkit
-
Boas Práticas de Segurança e Qualidade no Terraform.
-
Rust vs. Go: Battle for the Back End
-
Show HN: Globstar – Open-source static analysis toolkit
-
Mastering Managed IaC Self-Service: The Complete Guide
-
Union types ('enum types') would be complicated in Go
-
A note from our sponsor - SaaSHub
www.saashub.com | 19 Jul 2025
Index
What are some of the best open-source Static Analysis projects in Go? This list will help you:
# | Project | Stars |
---|---|---|
1 | clair | 10,714 |
2 | grype | 10,275 |
3 | reviewdog | 8,529 |
4 | gosec | 8,348 |
5 | syft | 7,338 |
6 | tfsec | 6,856 |
7 | go-tools | 6,505 |
8 | go-callvis | 6,320 |
9 | revive | 5,237 |
10 | go-recipes | 4,361 |
11 | nilaway | 3,425 |
12 | kube-linter | 3,224 |
13 | bearer | 2,341 |
14 | horusec | 1,242 |
15 | go-ruleguard | 832 |
16 | huskyCI | 578 |
17 | sqlvet | 493 |
18 | woke | 485 |
19 | globstar | 445 |
20 | Chronos | 435 |
21 | bodyclose | 318 |
22 | regal | 315 |
23 | squealer | 233 |