macOS
brew install goseclocal Homebrew formula metadata
sudo port install gosecMacPorts ports tree · security/gosec/Portfile · source: api.github.com
brew
Golang security checker. Version 2.27.1 via Homebrew; verified 2026-06-01.
install
brew install goseclocal Homebrew formula metadata
sudo port install gosecMacPorts ports tree · security/gosec/Portfile · source: api.github.com
sudo apk add gosecAlpine Linux edge package indexes · gosec · source: dl-cdn.alpinelinux.org
sudo dnf install gosecFedora Rawhide package metadata · gosec · source: dl.fedoraproject.org
nix profile install nixpkgs#gosecnixpkgs package indexes · pkgs/by-name/go/gosec/package.nix · source: api.github.com
sudo zypper install gosecopenSUSE Tumbleweed package metadata · gosec · source: download.opensuse.org
scoop install main/gosecScoop official bucket manifest trees · bucket/gosec.json · source: api.github.com
overview
Golang security checker
history
gosec is the SecureGo project's static security scanner for Go source code, using AST, SSA, and taint-analysis rules to find common vulnerability patterns before code ships.
The GitHub repository was created on July 18, 2016. Its README describes gosec as a Go security checker that inspects source code by scanning Go AST and SSA representations, while SecureGo's tools page frames the project as a way to programmatically enforce Secure Go guidelines.
Over time the project expanded from pattern-style checks into a broader rule catalog. Official rule documentation groups findings by general secure coding, injection, filesystem permissions, crypto and protocol security, import blocklists, language/runtime safety, and taint analysis. The README also documents CWE mapping, SARIF output, GitHub Action usage, Go analysis integration, and configurable global and per-rule settings.
gosec became a standard Go security linter because it fits normal Go and CI workflows: go install for local use, a GitHub Action for repository scanning, SARIF output for GitHub code scanning, and package-manager distribution through apk, Homebrew, dnf, MacPorts, Nix, Scoop, and zypper according to the input package facts.
The project sits in the same practical lane as go vet and staticcheck but focuses on security-sensitive APIs and data flows. Its CII Best Practices badge, GitHub Action, Go analysis package, and package-manager coverage made it accessible both to individual Go developers and to teams wiring security checks into CI.
The basic local workflow is gosec ./..., with options for JSON or SARIF reports, selected rule inclusion or exclusion, and a config.json file passed through -conf. CI workflows often run securego/gosec as an action and upload SARIF to GitHub code scanning.
gosec rules include hardcoded credentials, unchecked errors, unsafe usage, SQL and command injection patterns, archive/path traversal risks, TLS and crypto weaknesses, blocklisted imports, integer/slice issues, and taint-analysis checks for SQL injection, command injection, SSRF, XSS, log injection, SMTP injection, server-side template injection, unsafe deserialization, and open redirects.
For package maintainers, gosec is important because it is easy to add as a single CLI check across Go packages without adopting a SaaS scanner. It gives distro and CI users a reproducible local executable, machine-readable output, CWE mappings, and a documented config file.
Its package-manager footprint also matters: a security scanner being available from Homebrew, Linux distro channels, Nix, Scoop, and container/GitHub Action paths means the same scanner can be used by laptop developers, CI jobs, and release pipelines.
security posture
narrow executable package without higher-risk signals.
green risk · low confidence · appliance
Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.
local files
These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.
Config paths the tool may read or write during local use.
config.jsonexecutables
| Command | Kind | Exposure | Note |
|---|---|---|---|
gosec | cli | global executable |
freshness
These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.
https://github.com/securego/gosec
install metadata
| Package key | brew:gosec |
|---|---|
| Version | 2.27.1 |
| Package manager | Homebrew |
| Package manager page | https://formulae.brew.sh/formula/gosec |
| Homepage | https://securego.io/ |
| Repository | https://github.com/securego/gosec |
| Upstream docs | https://github.com/securego/gosec#readme |
| License | Apache-2.0 |
| Source archive | https://github.com/securego/gosec/archive/refs/tags/v2.27.1.tar.gz |
| Last updated | 2026-06-01T19:35:38Z |
| Pulse | updated |
| Dependencies | go |
| Bottle | available (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux) |
| Homebrew post-install | not defined |
| Service | none declared |
registry facts
| Source Database | Homebrew formula API |
|---|---|
| Tap | homebrew/core |
| Full Name | gosec |
| Version Scheme | 0 |
| Revision | 0 |
| Head Version | HEAD |
| Bottle Stable Root URL | https://ghcr.io/v2/homebrew/core |
| Deprecated | no |
| Disabled | no |
| Keg Only | no |
| URL Keys |
|
source database matches
Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.
gosec
nix profile install nixpkgs#gosecgosec 2.23.0-r3
Go source code static analyzer, focusing on security
https://github.com/securego/gosec
sudo apk add gosecgosec 2.27.1-1.fc45
Go security checker
https://github.com/securego/gosec
sudo dnf install gosecgosec 2.27.1-1.1
CLI tool to scan the Go AST and SSA code representations for security problems
https://github.com/securego/gosec
sudo zypper install gosecgosec
sudo port install gosecmain/gosec
scoop install main/gosecsource trail
This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.
View the package source record on GitHub.