Go Static Analysis

Open-source Go projects categorized as Static Analysis

Top 23 Go Static Analysis Projects

  • clair

    Vulnerability Static Analysis for Containers

    Project mention: Implement DevSecOps to Secure your CI/CD pipeline | dev.to | 2022-09-27

    Open source: Trivy, Gryp and Clair are widely used open source tools for container scanning.

  • gosec

    Golang security checker

    Project mention: Goast: Generic static analysis for Go Abstract Syntax Tree by OPA/Rego | dev.to | 2022-09-12

    Various static analysis tools are available for the Go language, and existing static analysis tools can check general best practices. For example, gosec is a tool to check secure Go coding, and I use it myself. However, coding rules in software development are not only based on best practices, but can also be software- or team-specific. For example

  • SonarLint

    Clean code begins in your IDE with SonarLint. Up your coding game and discover issues early. SonarLint is a free plugin that helps you find & fix bugs and security issues from the moment you start writing code. Install from your favorite IDE marketplace today.

  • reviewdog

    🐶 Automated code review tool integrated with any code analysis tools regardless of programming language

    Project mention: Reviewdog: Code analysis regardless of programming language | news.ycombinator.com | 2022-10-11
  • tfsec

    Security scanner for your Terraform code

    Project mention: Atlantis vs. Terraform Cloud / Terraform Enterprise – Comparison | dev.to | 2022-09-14

    Flexibility is one of the core advantages of Atlantis, as it allows easy integration with other Terraform-helper tools(e.g., tfsec, checkov, Infracost, or Terratag). It can work with Terraform wrappers, such as Terragrunt, out of the box and even add some of Terragrunt’s features to vanilla Terraform – like before and after hooks for every execution stage (init, plan, apply, etc.).

  • go-tools

    Staticcheck - The advanced Go linter

    Project mention: this result of append is never used, except maybe in other appends (SA4010) | reddit.com/r/golang | 2022-11-10

    This is the first result for that error in google. The comment in that issue explains it. You're building two array's c_code, and c_start_date which are built and then never read or returned or otherwise used.

  • grype

    A vulnerability scanner for container images and filesystems

    Project mention: Keeping up with dependencies like a boss | reddit.com/r/programming | 2022-11-01

    I'll continue relying on Anitya for the feed and syft/grype to build my SBOM and track vulnerabilities.

  • go-callvis

    Visualize call graph of a Go program using Graphviz

  • InfluxDB

    Build time-series-based applications quickly and at scale.. InfluxDB is the Time Series Data Platform where developers build real-time applications for analytics, IoT and cloud-native services in less time with less code.

  • revive

    🔥 ~6x faster, stricter, configurable, extensible, and beautiful drop-in replacement for golint (by mgechev)

    Project mention: Is there a better alternative to `gofmt`? | reddit.com/r/golang | 2021-12-29

    Been using https://github.com/mgechev/revive in all my projects.

  • syft

    CLI tool and library for generating a Software Bill of Materials from container images and filesystems

    Project mention: `cargo audit` can now scan compiled binaries | reddit.com/r/rust | 2022-11-02

    I think you can already do that using Syft.

  • kube-linter

    KubeLinter is a static analysis tool that checks Kubernetes YAML files and Helm charts to ensure the applications represented in them adhere to best practices.

    Project mention: Kubernetes YAML Linter for vscode? | reddit.com/r/kubernetes | 2022-11-07

    Another great tool is KubeLinter which checks for a lot of helpful stuff, including dangling references. This is nice, but it is a command-line tool, so I don't get live feedback in my editor.

  • gokart

    A static analysis tool for securing Go code

  • go-ruleguard

    Define and run pattern-based custom linting rules.

    Project mention: Linter for strings ? | reddit.com/r/golang | 2022-07-26

    You can try https://github.com/quasilyte/go-ruleguard

  • Chronos

    Chronos - A static race detector for the go language (by amit-davidson)

  • woke

    Detect non-inclusive language in your source code.

  • go-mnd

    Magic number detector for Go.

    Project mention: Runtime immutability checks library | reddit.com/r/golang | 2022-01-11

    https://github.com/tommy-muehle/go-mnd makes you think a lot about such constants and how you should call them

  • defsec

    DefSec is a set of tools for scanning definitions of infrastructure

    Project mention: Monokle 1.7.0 Integrates Open Policy Agent (OPA) Validation | reddit.com/r/kubernetes | 2022-05-03

    This integration enables hints and warnings when your manifest violates a given policy. Kudos to our friends at Aquasec for sharing their security team’s rules with us. These rules are used in trivy and open sourced through the defsec project and now form part of Monokle, too!

  • squealer

    Telling tales on you for leaking secrets!

  • mllint

    `mllint` is a command-line utility to evaluate the technical quality of Python Machine Learning (ML) projects by means of static analysis of the project's repository.

  • go-perfguard

    CPU-guided performance analyzer for Go

    Project mention: How can I learn more about how Go is optimizing/compiling my program? E.g. why certain functions get inlined but not others, why certain things escape to the heap, how much copying is happening, etc. | reddit.com/r/golang | 2022-07-30

    There's also this tool that you may find interesting: https://github.com/quasilyte/go-perfguard

  • enumcheck

    Allows to mark Go enum types as exhaustive.

    Project mention: Why are enums not a thing in Go? | reddit.com/r/golang | 2022-05-22

    closed set of enumerated values/types; use a linter, e.g. enumcheck

  • nilnil

    The Golang linter that checks that there is no simultaneous return of `nil` error and an invalid value.

    Project mention: Nil check on pointer return types? | reddit.com/r/golang | 2022-08-11
  • phpunisher

    Finds smelly php code pieces

  • go-commentage

    🐢 how far Go comments drifting behind

    Project mention: Tool to get age of comments | reddit.com/r/golang | 2022-11-28
  • Zigi

    Workflow assistant built for devs & their teams. Automate the mundane part of your day, with live actionable messages for your GitHub & Jira tasks.

NOTE: The open source projects on this list are ordered by number of github stars. The number of mentions indicates repo mentiontions in the last 12 Months or since we started tracking (Dec 2020). The latest post mention was on 2022-11-28.

Go Static Analysis related posts


What are some of the best open-source Static Analysis projects in Go? This list will help you:

Project Stars
1 clair 9,180
2 gosec 6,445
3 reviewdog 5,779
4 tfsec 5,354
5 go-tools 5,061
6 grype 4,827
7 go-callvis 4,500
8 revive 3,882
9 syft 3,412
10 kube-linter 2,120
11 gokart 2,049
12 go-ruleguard 638
13 Chronos 381
14 woke 356
15 go-mnd 156
16 defsec 127
17 squealer 125
18 mllint 67
19 go-perfguard 58
20 enumcheck 25
21 nilnil 12
22 phpunisher 4
23 go-commentage 0
Truly a developer’s best friend
Scout APM is great for developers who want to find and fix performance issues in their applications. With Scout, we'll take care of the bugs so you can focus on building great things 🚀.