Building a great tech team takes more than a paycheck. Zero payroll costs, get AI-driven insights to retain best talent, and delight them with amazing local benefits. 100% free and compliant. Learn more →
Top 11 Go static-code-analysis Projects
-
6. Gosec
-
reviewdog
🐶 Automated code review tool integrated with any code analysis tools regardless of programming language
I build a general converter from SARIF to Reviewdog Diagnostic Format (RDFormat), then use Reviewdog to give suggested code changes as well as the context of the changes for PR reviewing.
-
SonarLint
Clean code begins in your IDE with SonarLint. Up your coding game and discover issues early. SonarLint is a free plugin that helps you find & fix bugs and security issues from the moment you start writing code. Install from your favorite IDE marketplace today.
-
datree
Prevent Kubernetes misconfigurations from reaching production (again 😤 )! From code to cloud, Datree provides an E2E policy enforcement solution to run automatic checks for rule violations. See our docs: https://hub.datree.io
Project mention: Show HN: Datree (YC W20) – End-to-End Policy Management for Kubernetes | news.ycombinator.com | 2023-04-04Hi HN, I’m Shimon, the co-founder of Datree: A policy management solution for Kubernetes. We help DevOps engineers prevent misconfigurations in their Kubernetes by enforcing an organizational policy on their clusters. Engineers can define a custom policy or use one of Datree’s built-in policies, such as NIST/NSA Hardening Guide, EKS Security Best Practices, CIS Benchmark, and more.
Our website is at https://datree.io and our GitHub is here: https://github.com/datreeio/datree
This is not the first time I have shown Datree to the HN community: A little over a year ago, I posted here an earlier version of Datree (https://news.ycombinator.com/item?id=28918850). At that time, Datree consisted of a CLI tool to detect Kubernetes misconfigurations during the development process (locally or in the CI/CD), unlike the version I present today in which the enforcement happens in production.
We built the CLI tool because we detected a big problem among Kubernetes operators: Misconfigurations. Kubernetes is extremely complex and flexible, which makes it very easy to poorly configure it in ways that are not secure. And indeed, we talked to dozens of Kubernetes operators who suffered from various problems, starting with failed audits, all the way to downtime in production, all because of misconfigurations.
Our solution was simple: Give the developers the means to shift-left security testing during the development process with a CLI tool that can be integrated into the CI/CD. We thought this was the best way to approach the problem: It is easiest to fix misconfigurations in the development process before they are deployed to production, it prevents context-switching and relieves resources from the DevOps team.
While the CLI tool was very popular among the open-source community (it got over 6000 stars on GitHub), we soon realized that CI/CD enforcement is not enough. As we talked with Datree’s users, we realized we had made a fundamental mistake: We thought of misconfiguration prevention in technical terms rather than organizational terms.
Indeed, from a technical point of view, it makes sense to shift-left Kubernetes security. But when considering the organizational structure in which it takes place, it simply isn’t enough. DevOps engineers told us that they love the shift-left concept, but they simply cannot rely on the goodwill of the engineers to run a CLI tool locally or to monitor all the pipelines leading to production. They need governance, something to help them stay in control of the state of their clusters.
Moreover, we realized that many companies who use Kubernetes are heavily regulated, and cannot take any chances with their security. Sure, these companies want the engineers to fix misconfigurations during development, but they also want something to make sure that no matter what, their clusters remain misconfiguration-free.
Based on this understanding, we developed a new version of Datree that sits on the cluster itself (rather than in the CI/CD) and protects the production environment by blocking misconfigured resources with an admission webhook. It has a centralized policy management solution to enable governance, and native monitoring to get real-time insights into the state of your Kubernetes.
I look forward to hearing your feedback and answering any questions you may have.
-
revive
🔥 ~6x faster, stricter, configurable, extensible, and beautiful drop-in replacement for golint
The v1.3.4 of revive, the fast, configurable, extensible, flexible, and beautiful linter for Go, is available.
-
Project mention: GitHub - zegl/kube-score: Kubernetes object analysis with recommendations for improved reliability and security | /r/u_Venehsoftw | 2022-12-23
-
-
bearer
Code security scanning tool (SAST) to discover, filter and prioritize security and privacy risks.
My team and I released Bearer a couple of weeks ago, a newer open and free alternative to Brakeman to check your code for security and privacy risks. In addition to Ruby/Rails, we also cover your JS/TS code, which allows you to use a single solution for your whole Rails application.
-
Onboard AI
Learn any GitHub repo in 59 seconds. Onboard AI learns any GitHub repo in minutes and lets you chat with it to locate functionality, understand different parts, and generate new code. Use it for free at www.getonboard.dev.
-
-
nakedret
nakedret is a Go static analysis tool to find naked returns in functions greater than a specified function length.
Every Go dev should have a linter running that warns about naked returns. E.g., nakedret.
-
Project mention: Is it necessary to maintain a logical layer on top of your codebase? | /r/devops | 2023-03-26
-
Project mention: Goboundcheck – Go linter validating slice/array bounds | news.ycombinator.com | 2023-06-29
Go static-code-analysis related posts
- Is it necessary to maintain a logical layer on top of your codebase?
- Is it necessary to maintain a logical layer in your code repository?
- The missing logical layer in codebases. Easily deploy. Analysis friendly. Multi languages support.
- The missing logical layer in codebases. Analysis friendly. Multi languages support.
- The missing logical layer in codebases
- Also a powerful source code metadata extractor for multiple languages
- Source code history visualization with one line command (https://github.com/opensibyl/sibyl2)
-
A note from our sponsor - Revelo Payroll
try.revelo.com | 3 Oct 2023
Index
What are some of the best open-source static-code-analysis projects in Go? This list will help you:
Project | Stars | |
---|---|---|
1 | gosec | 7,098 |
2 | reviewdog | 6,698 |
3 | datree | 6,354 |
4 | revive | 4,404 |
5 | kube-score | 2,378 |
6 | gokart | 2,121 |
7 | bearer | 1,368 |
8 | Chronos | 405 |
9 | nakedret | 109 |
10 | sibyl2 | 39 |
11 | goboundcheck | 0 |