Our great sponsors
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
-
reviewdog
š¶ Automated code review tool integrated with any code analysis tools regardless of programming language
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
$ goast eval -f json -p policy.rego main.go { "diagnostics": [ { "message": "do not use fmt.Println", "location": { "path": "main.go", "range": { "start": { "line": 6, "column": 2 } } } } ], "source": { "name": "goast", "url": "https://github.com/m-mizutani/goast" } }
Various static analysis tools are available for the Go language, and existing static analysis tools can check general best practices. For example, gosec is a tool to check secure Go coding, and I use it myself. However, coding rules in software development are not only based on best practices, but can also be software- or team-specific. For example
A useful tool for such applications is the policy description language Rego. Rego is a general-purpose language that can be used to evaluate structured data by OPA. Some of the most popular uses include checking the status of resources used in cloud environments, checking the content of Infrastructure as Code descriptions, and checking authorization for access to servers. Please see this document for more detail of Rego.
Static analysis should be performed continuously by CI (Continuous Integration) to prevent unintentional inclusion of code. The JSON output schema is compatible with reviewdog and can be used as is in reviewdog.
We also have goast-action available for use with GitHub Actions, which allows you to perform static inspection on Pull Requests with the following workflow.