Gosec

gosec is a static analysis security tool designed to scan Go source code for vulnerabilities and common coding flaws. It functions as a security analyzer that inspects the abstract syntax tree to identify insecure function calls, API usage, and potential security risks.

The tool distinguishes itself by mapping detected vulnerabilities to Common Weakness Enumeration identifiers for standardized reporting and integrating with external AI models to suggest code fixes for identified issues.

Its capabilities cover the detection of injection vulnerabilities, hardcoded credentials, weak cryptographic implementations, and insecure network or filesystem configurations. The engine also provides mechanisms for vulnerability management, including the ability to define custom security rules, enforce import blocklists, and suppress false positives using inline code annotations.

Analysis results can be exported in multiple machine-readable formats to integrate with reporting tools and security workflows.

Features

Security and SAST - Identifies injection risks and hardcoded credentials in Go projects using static analysis and pattern matching.

Security and Vulnerability Scanning - Inspects Go source code using static analysis to identify security flaws and potential vulnerabilities.

Source Code Analysis - Inspects the abstract syntax tree to identify risky function calls and security flaws.

Security Vulnerability Scanners - Analyzes code using pattern-based rules and taint analysis to detect common security flaws and injection risks.

AST Pattern Matching - Implements structural code analysis using abstract syntax trees to identify insecure patterns.

Vulnerability Mapping - Links detected security flaws to Common Weakness Enumeration identifiers for standardized reporting.

Cryptographic Auditing - Detects the use of weak hashing algorithms, deprecated ciphers, and insecure random number generators.

Go Security Auditing - Identifies hardcoded credentials, insecure network configurations, and weak cryptography in Go projects.

Insecure API Detection - Identifies dangerous or deprecated API usage by matching package selectors and identifiers within source code.

Secret Detection - Scans source code using regular expressions to identify hardcoded credentials and API keys.

Secrets Scanning - Scans source code for plaintext passwords, API keys, and other sensitive secrets embedded directly in logic.

Source Code Vulnerability Scanning - Analyzes source code against security rules to identify potential vulnerabilities and risks.

Static Analysis Security Testing - Analyzes Go source code to identify potential security vulnerabilities and common coding flaws through static analysis.

Injection Vulnerabilities - Analyzes code for SQL, command, path traversal, and cross-site scripting risks using pattern matching and taint analysis.

Static Analysis Security Testing - Provides a static analysis engine to scan Go source code for security vulnerabilities and coding flaws.

AST Security Analyzers - Inspects the Go abstract syntax tree to detect insecure function calls and API usage.

Static Code Analysis - Scans Go source code for security vulnerabilities and common coding flaws using static analysis.

Taint Analysis Engines - Tracks the propagation of untrusted user input to detect potential injection vulnerabilities.

Analysis Result Caches - Caches intermediate results of expensive static analysis operations to avoid redundant processing of unchanged code.

Automated Code Fix Suggestions - Recommends specific code changes to resolve detected security findings via external AI models.

Analysis Suppression Mechanisms - Excludes specific security findings from reporting using inline annotations or external flags.

Parallel Analysis Execution - Processes multiple Go packages and files in parallel to reduce the total time required for security scans.

Static Analysis Configurations - Adjusts the scanning engine through global settings such as enabling static single assignment support or audit mode.

Safety Analyzers - Identifies potential slice bounds out of range and implicit memory aliasing in loops.

Static Single Assignment Analysis - Tracks variable assignments and data flow to identify vulnerabilities that depend on value changes.

Filesystem Permissions - Flags insecure file and directory permissions during creation or modification to prevent unauthorized access.

Standardized Classifications - Associates detected security issues with CWE identifiers for standardized vulnerability descriptions.

Network Security Auditing - Identifies insecure network settings such as binding to all interfaces and unsafe redirect policies.

Secure Go Development - Prevents the use of forbidden packages and dangerous function calls during development.

Security Finding Management - Ignores specific vulnerabilities using inline directives that require a rule ID or written justification.

Security Reporting Tools - Exports security scan results into structured formats for integration with external reporting tools.

Vulnerability Check Excluders - Filters out security issues based on file path patterns and rule identifiers to reduce noise.

Weakness Enumerations - Maps detected security issues to Common Weakness Enumeration identifiers for standardized reporting.

Custom Analysis Rules - Provides a framework for defining custom metadata-driven rules to identify specialized vulnerabilities.

Rule Suppression Comments - Provides inline source code comments to disable specific security rules for targeted lines.

AI-Powered Code Fixes - Integrates with external AI models to provide recommended code fixes for detected security vulnerabilities.

Memory Leak Detection - Detects uncalled context cancel functions and unbounded memory allocations to prevent resource leaks.

Code Analysis and Quality - Security-focused static analysis.

Security And Privacy - Security checker for Go code.

Static Analysis - Scans Go source code to identify common security vulnerabilities.

securegogosec

Features

Star history