Go Static Analysis

Open-source Go projects categorized as Static Analysis

Top 23 Go Static Analysis Projects

Static Analysis
  1. clair

    Vulnerability Static Analysis for Containers

    Project mention: Dockerfile Best Practices: Building Efficient and Secure Containers | dev.to | 2024-08-16

    Regularly scan your Docker images for vulnerabilities using tools like Trivy or Clair.

  2. InfluxDB

    InfluxDB – Built for High-Performance Time Series Workloads. InfluxDB 3 OSS is now GA. Transform, enrich, and act on time series data directly in the database. Automate critical tasks and eliminate the need to move data externally. Download now.

    InfluxDB logo
  3. grype

    A vulnerability scanner for container images and filesystems

    Project mention: Deep Dive 🤿: Where Does Grype Data Come From? | dev.to | 2024-11-12
  4. reviewdog

    🐶 Automated code review tool integrated with any code analysis tools regardless of programming language

    Project mention: Supply Chain Attack on Reviewdog GitHub Actions | news.ycombinator.com | 2025-03-20
  5. gosec

    Go security checker

    Project mention: Top 10 Code Security Tools | dev.to | 2024-10-30

    Source

  6. syft

    CLI tool and library for generating a Software Bill of Materials from container images and filesystems

    Project mention: Open Source projects could sell SBoM fragments | news.ycombinator.com | 2025-02-17

    Syft (https://github.com/anchore/syft) and ScanCode (https://github.com/aboutcode-org/scancode-toolkit) are good open-source tools to generate SBOMs and search repos for licensing information — I'm curious to hear if there are reasons why those wouldn't work for enterprise purposes.

  7. tfsec

    Tfsec is now part of Trivy

    Project mention: Mastering DevSecOps and GitOps for Secure Cloud-Native Applications | dev.to | 2025-06-17

    Trivy (https://aquasecurity.github.io/trivy/) is a popular open-source vulnerability scanner for containers and other artifacts.

  8. go-tools

    Staticcheck - The advanced Go linter

  9. Stream

    Stream - Scalable APIs for Chat, Feeds, Moderation, & Video. Stream helps developers build engaging apps that scale to millions with performant and flexible Chat, Feeds, Moderation, and Video APIs and SDKs powered by a global edge network and enterprise-grade infrastructure.

    Stream logo
  10. go-callvis

    Visualize call graph of a Go program using Graphviz

  11. revive

    🔥 ~6x faster, stricter, configurable, extensible, and beautiful drop-in replacement for golint

    Project mention: A 10x Faster TypeScript | news.ycombinator.com | 2025-03-11

    The Uber page does a pretty good job of summing it up. The only thing I'd add is that there has been a little bit of effort to reduce footguns since they've posted this article; as one example, the issue with accidentally capturing range for variables is now fixed in the language[1]. On top of having a built-in race detector since 1.1 and runtime concurrent map access detection since 1.6, Go is also adding more tools to make testing concurrent code easier, which should also help ensure potentially racy code is at least tested[2]. Accidentally capturing named return values is now caught by a popular linting tool[3]. There is also gVisor's checklocks analyzer, which, with the help of annotations, can catch many misuses of mutexes and data protected by mutexes[4]. (This would be a lot nicer as a language feature, but oh well.)

    I don't know if I'd evangelize for adopting Go on the scale that Uber has: I think Go works best for shared-nothing architectures and gets gradually less compelling as you dig into more complex concurrency. That said, since Uber is an early adopter, there is a decent chance that what they have learned will help future organizations avoid repeating some of the same issues, via improvements to tooling and the language.

    [1]: https://go.dev/blog/loopvar-preview

    [2]: https://go.dev/blog/synctest

    [3]: https://github.com/mgechev/revive/blob/HEAD/RULES_DESCRIPTIO...

    [4]: https://pkg.go.dev/gvisor.dev/gvisor/tools/checklocks

  12. go-recipes

    🦩 Tools for Go projects

  13. nilaway

    Static analysis tool to detect potential nil panics in Go code

    Project mention: Rust vs. Go: Battle for the Back End | news.ycombinator.com | 2025-03-10

    Yep, the ecosystem doesn't support anything like it and a lot of Go people are downright hostile towards this solution :)

    You could also try your luck with https://github.com/uber-go/nilaway

  14. kube-linter

    KubeLinter is a static analysis tool that checks Kubernetes YAML files and Helm charts to ensure the applications represented in them adhere to best practices.

  15. bearer

    Code security scanning tool (SAST) to discover, filter and prioritize security and privacy risks.

    Project mention: 🛡️ Scan and Protect Any App in 5 Minutes with Bearer CLI (SAST for Everyone) | dev.to | 2025-04-20

    🧰 GitHub Repository: https://github.com/Bearer/bearer

  16. horusec

    Horusec is an open source tool that improves identification of vulnerabilities in your project with just one command.

    Project mention: 🔐IaC Security Made Easy with Horusec: A SAST Approach🚀 | dev.to | 2025-04-20

    Horusec GitHub

  17. go-ruleguard

    Define and run pattern-based custom linting rules.

    Project mention: Custom Linting Rules in Go | news.ycombinator.com | 2024-08-25
  18. huskyCI

    Performing security tests inside your CI

    Project mention: 🐶 Secure Your CI Pipeline in Minutes with HuskyCI (SAST for Multiple Languages) huskyci | dev.to | 2025-04-25

    git clone https://github.com/globocom/huskyCI.git cd huskyCI

  19. sqlvet

    Go fearless SQL. Sqlvet performs static analysis on raw SQL queries in your Go code base.

  20. woke

    Detect non-inclusive language in your source code.

  21. globstar

    Globstar is a fast, feature-rich, and open-source static analysis toolkit for writing and running code checkers. Based on tree-sitter.

    Project mention: Globstar: Open-source static analysis toolkit | news.ycombinator.com | 2025-04-08
  22. Chronos

    Chronos - A static race detector for the go language (by amit-davidson)

  23. bodyclose

    Analyzer: checks whether HTTP response body is closed and a re-use of TCP connection is not blocked.

  24. regal

    Regal is a linter and language server for Rego, bringing your policy development experience to the next level! (by StyraInc)

  25. squealer

    Telling tales on you for leaking secrets!

  26. SaaSHub

    SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives

    SaaSHub logo
NOTE: The open source projects on this list are ordered by number of github stars. The number of mentions indicates repo mentiontions in the last 12 Months or since we started tracking (Dec 2020).

Go Static Analysis discussion

Log in or Post with

Go Static Analysis related posts

  • 🛡️ Secure, Lint, and Validate Your Terraform Like a Pro

    2 projects | dev.to | 19 May 2025
  • Globstar: Open-source static analysis toolkit

    1 project | news.ycombinator.com | 8 Apr 2025
  • Boas Práticas de Segurança e Qualidade no Terraform.

    3 projects | dev.to | 23 Mar 2025
  • Rust vs. Go: Battle for the Back End

    1 project | news.ycombinator.com | 10 Mar 2025
  • Show HN: Globstar – Open-source static analysis toolkit

    9 projects | news.ycombinator.com | 28 Feb 2025
  • Mastering Managed IaC Self-Service: The Complete Guide

    1 project | dev.to | 23 Dec 2024
  • Union types ('enum types') would be complicated in Go

    2 projects | news.ycombinator.com | 7 Dec 2024
  • A note from our sponsor - SaaSHub
    www.saashub.com | 19 Jul 2025
    SaaSHub helps you find the best software and product alternatives Learn more →

Index

What are some of the best open-source Static Analysis projects in Go? This list will help you:

# Project Stars
1 clair 10,714
2 grype 10,275
3 reviewdog 8,529
4 gosec 8,348
5 syft 7,338
6 tfsec 6,856
7 go-tools 6,505
8 go-callvis 6,320
9 revive 5,237
10 go-recipes 4,361
11 nilaway 3,425
12 kube-linter 3,224
13 bearer 2,341
14 horusec 1,242
15 go-ruleguard 832
16 huskyCI 578
17 sqlvet 493
18 woke 485
19 globstar 445
20 Chronos 435
21 bodyclose 318
22 regal 315
23 squealer 233

Sponsored
InfluxDB – Built for High-Performance Time Series Workloads
InfluxDB 3 OSS is now GA. Transform, enrich, and act on time series data directly in the database. Automate critical tasks and eliminate the need to move data externally. Download now.
www.influxdata.com

Did you know that Go is
the 4th most popular programming language
based on number of references?