Go static-code-analysis

Open-source Go projects categorized as static-code-analysis

Top 11 Go static-code-analysis Projects

  • gosec

    Golang security checker

    Project mention: Top 10 Snyk Alternatives for Code Security | dev.to | 2023-08-31

    6. Gosec

  • reviewdog

    🐶 Automated code review tool integrated with any code analysis tools regardless of programming language

    Project mention: Code reviews and Suggestions from SARIF report | dev.to | 2023-05-16

    I build a general converter from SARIF to Reviewdog Diagnostic Format (RDFormat), then use Reviewdog to give suggested code changes as well as the context of the changes for PR reviewing.

  • SonarLint

    Clean code begins in your IDE with SonarLint. Up your coding game and discover issues early. SonarLint is a free plugin that helps you find & fix bugs and security issues from the moment you start writing code. Install from your favorite IDE marketplace today.

  • datree

    Prevent Kubernetes misconfigurations from reaching production (again 😤 )! From code to cloud, Datree provides an E2E policy enforcement solution to run automatic checks for rule violations. See our docs: https://hub.datree.io

    Project mention: Show HN: Datree (YC W20) – End-to-End Policy Management for Kubernetes | news.ycombinator.com | 2023-04-04

    Hi HN, I’m Shimon, the co-founder of Datree: A policy management solution for Kubernetes. We help DevOps engineers prevent misconfigurations in their Kubernetes by enforcing an organizational policy on their clusters. Engineers can define a custom policy or use one of Datree’s built-in policies, such as NIST/NSA Hardening Guide, EKS Security Best Practices, CIS Benchmark, and more.

    Our website is at https://datree.io and our GitHub is here: https://github.com/datreeio/datree

    This is not the first time I have shown Datree to the HN community: A little over a year ago, I posted here an earlier version of Datree (https://news.ycombinator.com/item?id=28918850). At that time, Datree consisted of a CLI tool to detect Kubernetes misconfigurations during the development process (locally or in the CI/CD), unlike the version I present today in which the enforcement happens in production.

    We built the CLI tool because we detected a big problem among Kubernetes operators: Misconfigurations. Kubernetes is extremely complex and flexible, which makes it very easy to poorly configure it in ways that are not secure. And indeed, we talked to dozens of Kubernetes operators who suffered from various problems, starting with failed audits, all the way to downtime in production, all because of misconfigurations.

    Our solution was simple: Give the developers the means to shift-left security testing during the development process with a CLI tool that can be integrated into the CI/CD. We thought this was the best way to approach the problem: It is easiest to fix misconfigurations in the development process before they are deployed to production, it prevents context-switching and relieves resources from the DevOps team.

    While the CLI tool was very popular among the open-source community (it got over 6000 stars on GitHub), we soon realized that CI/CD enforcement is not enough. As we talked with Datree’s users, we realized we had made a fundamental mistake: We thought of misconfiguration prevention in technical terms rather than organizational terms.

    Indeed, from a technical point of view, it makes sense to shift-left Kubernetes security. But when considering the organizational structure in which it takes place, it simply isn’t enough. DevOps engineers told us that they love the shift-left concept, but they simply cannot rely on the goodwill of the engineers to run a CLI tool locally or to monitor all the pipelines leading to production. They need governance, something to help them stay in control of the state of their clusters.

    Moreover, we realized that many companies who use Kubernetes are heavily regulated, and cannot take any chances with their security. Sure, these companies want the engineers to fix misconfigurations during development, but they also want something to make sure that no matter what, their clusters remain misconfiguration-free.

    Based on this understanding, we developed a new version of Datree that sits on the cluster itself (rather than in the CI/CD) and protects the production environment by blocking misconfigured resources with an admission webhook. It has a centralized policy management solution to enable governance, and native monitoring to get real-time insights into the state of your Kubernetes.

    I look forward to hearing your feedback and answering any questions you may have.

  • revive

    🔥 ~6x faster, stricter, configurable, extensible, and beautiful drop-in replacement for golint

    Project mention: revive v1.3.4 is now available | /r/golang | 2023-09-18

    The v1.3.4 of revive, the fast, configurable, extensible, flexible, and beautiful linter for Go, is available.

  • kube-score

    Kubernetes object analysis with recommendations for improved reliability and security

    Project mention: GitHub - zegl/kube-score: Kubernetes object analysis with recommendations for improved reliability and security | /r/u_Venehsoftw | 2022-12-23
  • gokart

    A static analysis tool for securing Go code

  • bearer

    Code security scanning tool (SAST) to discover, filter and prioritize security and privacy risks.

    Project mention: [Tool] An alternative to Brakeman for Security | /r/rails | 2023-07-11

    My team and I released Bearer a couple of weeks ago, a newer open and free alternative to Brakeman to check your code for security and privacy risks. In addition to Ruby/Rails, we also cover your JS/TS code, which allows you to use a single solution for your whole Rails application.

  • Onboard AI

    Learn any GitHub repo in 59 seconds. Onboard AI learns any GitHub repo in minutes and lets you chat with it to locate functionality, understand different parts, and generate new code. Use it for free at www.getonboard.dev.

  • Chronos

    Chronos - A static race detector for the go language (by amit-davidson)

  • nakedret

    nakedret is a Go static analysis tool to find naked returns in functions greater than a specified function length.

    Project mention: What was your greatest struggle when learning Go? | /r/golang | 2023-02-18

    Every Go dev should have a linter running that warns about naked returns. E.g., nakedret.

  • sibyl2

    The missing fact layer in codebases.

    Project mention: Is it necessary to maintain a logical layer on top of your codebase? | /r/devops | 2023-03-26
  • goboundcheck

    Linter for Go ensuring all array and slice bounds are validated.

    Project mention: Goboundcheck – Go linter validating slice/array bounds | news.ycombinator.com | 2023-06-29
NOTE: The open source projects on this list are ordered by number of github stars. The number of mentions indicates repo mentiontions in the last 12 Months or since we started tracking (Dec 2020). The latest post mention was on 2023-09-18.

Go static-code-analysis related posts


What are some of the best open-source static-code-analysis projects in Go? This list will help you:

Project Stars
1 gosec 7,098
2 reviewdog 6,698
3 datree 6,354
4 revive 4,404
5 kube-score 2,378
6 gokart 2,121
7 bearer 1,368
8 Chronos 405
9 nakedret 109
10 sibyl2 39
11 goboundcheck 0
Free Global Payroll designed for tech teams
Building a great tech team takes more than a paycheck. Zero payroll costs, get AI-driven insights to retain best talent, and delight them with amazing local benefits. 100% free and compliant.