Top 23 Go Static Analysis Projects

Static Analysis

• Add a project

1. grype

   1 64 12,394 9.6 Go

   A vulnerability scanner for container images and filesystems

   

   Project mention: Performance Test: Grype 0.70 vs Trivy 0.50 Scan Times – 15% Faster for Alpine Images | dev.to | 2026-04-28

   After 120+ benchmark runs across 6 Alpine image variants, 2 hardware configurations, and 3 CI environments, our verdict is clear: Grype 0.70 is 15% faster than Trivy 0.50 for Alpine-based container images, with identical vulnerability detection parity. For teams scanning Alpine images at scale, this speedup translates to thousands of dollars in CI compute savings and hundreds of engineer hours reclaimed per month. If you're only scanning Alpine images, migrate to Grype today—the 15% speedup is worth the migration effort for any team with more than 100 daily scans. For heterogeneous image stacks, Trivy remains the better all-in-one option. We recommend running the benchmark script we provided earlier on your own images to validate the speedup for your specific workload.

2. SaaSHub

   www.saashub.com featured

   SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives

   

3. clair

   2 24 11,005 8.8 Go

   Vulnerability Static Analysis for Containers

   

   Project mention: Performance Test: Grype 0.70 vs Trivy 0.50 Scan Times – 15% Faster for Alpine Images | dev.to | 2026-04-28

   How does Clair compare to Grype and Trivy for Alpine image scans?

4. reviewdog

   3 14 9,353 9.6 Go

   🐶 Automated code review tool integrated with any code analysis tools regardless of programming language

   

   Project mention: Proofreading Text with textlint and reviewdog on CircleCI | dev.to | 2026-03-15

   github.com - reviewdog/reviewdog

5. syft

   4 42 9,091 9.7 Go

   CLI tool and library for generating a Software Bill of Materials from container images and filesystems

   

   Project mention: War Story: We Implemented SBOMs with Syft 0.10 and Cut Compliance Audit Time 60% for 500 Services | dev.to | 2026-04-28

6. gosec

   5 22 8,858 9.4 Go

   Go security checker

   

7. tfsec

   6 40 7,011 1.7 Go

   Tfsec is now part of Trivy

   

   Project mention: How to Build a CI/CD Pipeline from Scratch | dev.to | 2026-06-11

   Sign and scan artifacts before deployment. Container image scanning with Trivy, Snyk, or Grype identifies known vulnerabilities in base images and dependencies. Fail the pipeline if critical or high-severity vulnerabilities are detected.

8. go-tools

   7 21 6,817 8.2 Go

   Staticcheck - The advanced Go linter

   

   Project mention: 2026 Benchmark: Gemini 2.5 vs. OpenAI o4 for Translating Code Between Python 3.13 and Go 1.24 | dev.to | 2026-04-28

   Go’s static analysis ecosystem is mature enough to catch 80% of translation errors before runtime. staticcheck (https://github.com/dominikh/go-tools) is a state-of-the-art linter that detects unused variables, race conditions, and incorrect error handling—common issues in LLM-translated Go code. In our benchmark, teams that integrated staticcheck into their CI pipeline reduced post-translation bugs by 72%. For example, running staticcheck ./... after translation will catch issues like unhandled errors or shadowed variables that Gemini 2.5 occasionally misses. Similarly, go vet detects suspicious constructs, such as fmt.Printf calls with incorrect format verbs. A sample CI step looks like:

9. go-callvis

   8 2 6,485 4.3 Go

   Visualize call graph of a Go program using Graphviz

   

10. revive

    9 12 5,522 9.3 Go

    🔥 ~6x faster, stricter, configurable, extensible, and beautiful drop-in replacement for golint

    

    Project mention: Cognitive Load is what matters | news.ycombinator.com | 2025-08-30

    > Our coding standards require that functions have a fairly low cyclomatic complexity. The goal is to ensure that we never have a a function which is really hard to understand.

    https://github.com/fzipp/gocyclo

    > * We also require a properly descriptive header comment for each function and one of the main emphases in our code reviews is to evaluate the legibility and sensibility of each function signature very carefully. My thinking is the comment sort of describes "developer's intent" whereas the naming of everything in the signature should give you a strong indication of what the function really does.

    https://github.com/mgechev/revive

    > Now is this going to buy you good architecture for free, of course not.

    It's not architecture to tell people to comment on their functions.

    Also FTR, people confuse cyclomatic complexity for automagically making code confusing to the weirdest example I have ever had to deal with - a team had unilaterally decided that the 'else' keyword could never be used in code.

11. go-recipes

    10 8 4,489 6.5 Go

    🦩 Tools for Go projects

    

12. nilaway

    11 7 3,827 7.7 Go

    Static analysis tool to detect potential nil panics in Go code

    

    Project mention: Show HN: Soppo – A Golang superset that adds enums, pattern matching, nil safety | news.ycombinator.com | 2025-12-03

    Hey HN, I've been working on Soppo, a language that compiles to Go, adding features to catch errors at compile time instead of runtime: enums with exhaustive matching, `?` for error propagation, and nil safety from static analysis of nil flows (sort of like https://github.com/uber-go/nilaway but currently much less sophisticated). It's designed to still look and feel like Go, and be able to use any Go library directly.

    Playground: https://play.soppolang.dev

    Not production ready and still a little early in development, but curious what people think about the design.

13. kube-linter

    12 8 3,469 9.1 Go

    KubeLinter is a static analysis tool that checks Kubernetes YAML files and Helm charts to ensure the applications represented in them adhere to best practices.

    

14. bearer

    13 21 2,678 8.6 Go

    Code security scanning tool (SAST) to discover, filter and prioritize security and privacy risks.

    

15. kubesec

    14 4 1,459 6.0 Go

    Security risk analysis for Kubernetes resources

    

    Project mention: The Hidden Risks of "Secure by Default": Why Security Contexts in Kubernetes Matter | dev.to | 2025-10-30

    Scan manifests with tools like kubesec or Polaris

16. horusec

    15 1 1,320 0.0 Go

    Horusec is an open source tool that improves identification of vulnerabilities in your project with just one command.

    

17. vet

    16 20 1,073 9.4 Go

    Protect against malicious open source packages 🤖

    

    Project mention: Show HN: Tips to stay safe from NPM supply chain attacks | news.ycombinator.com | 2025-09-21

    For GitHub Actions, i found http://safedep.io/ to be helpful, not only it guard against known attacks, but also it has its own malware detection engine.

18. pyscn

    17 11 1,017 9.8 Go

    An Intelligent Python Code Quality Analyzer

    

    Project mention: From CLI to GitHub Bot: Building a Code Management AI for Python | dev.to | 2026-02-06

    So I built pyscn — a static analysis engine in Go with tree-sitter. It scans Python code and gives you a Health Score (0–100) based on:

19. go-ruleguard

    18 2 870 3.8 Go

    Define and run pattern-based custom linting rules.

    

20. huskyCI

    19 1 593 0.7 Go

    Performing security tests inside your CI

    

21. woke

    20 6 513 0.0 Go

    Detect non-inclusive language in your source code.

    

22. sqlvet

    21 1 499 4.0 Go

    Go fearless SQL. Sqlvet performs static analysis on raw SQL queries in your Go code base.

    

23. globstar

    22 5 489 9.3 Go

    Globstar is a fast, feature-rich, and open-source static analysis toolkit for writing and running code checkers. Based on tree-sitter.

    

24. Chronos

    23 1 440 3.9 Go

    Chronos - A static race detector for the go language (by amit-davidson)

    

Go Static Analysis related posts

• 2026 Benchmark: Gemini 2.5 vs. OpenAI o4 for Translating Code Between Python 3.13 and Go 1.24

  1 project | dev.to | 28 Apr 2026

• War Story: We Implemented SBOMs with Syft 0.10 and Cut Compliance Audit Time 60% for 500 Services

  3 projects | dev.to | 28 Apr 2026

• Show HN: Backlit – Lit Web Component SSR for Drupal via Go and WASM, No Node.js

  1 project | news.ycombinator.com | 19 Mar 2026

• Why TODOs rot — and how I built a tool to make them expire

  1 project | dev.to | 15 Jan 2026

• Show HN: DebtBomb – Make TODOs expire and automatically create Jira tickets

  1 project | news.ycombinator.com | 13 Jan 2026

• Top 7 Terraform Scanning Tools You Should Know

  2 projects | dev.to | 15 Dec 2025

• Show HN: Soppo – A Golang superset that adds enums, pattern matching, nil safety

  2 projects | news.ycombinator.com | 3 Dec 2025
• A note from our sponsor - SaaSHub
  www.saashub.com | 15 Jun 2026

  SaaSHub helps you find the best software and product alternatives Learn more →

Index

Sponsored

SaaSHub - Software Alternatives and Reviews

SaaSHub helps you find the best software and product alternatives

www.saashub.com

Do not miss the trending Go projects with our weekly report!