Automic VaultAutomic Vault

brew

Install gosec with Homebrew, apk, dnf, MacPorts, Nix, scoop, zypper

Golang security checker. Version 2.27.1 via Homebrew; verified 2026-06-01.

install

Additional install commands

macOS

Homebrewverified · 100%
brew install gosec

local Homebrew formula metadata

MacPortsverified · 94%
sudo port install gosec

MacPorts ports tree · security/gosec/Portfile · source: api.github.com

Linux

Alpine Linux apkverified · 92%
sudo apk add gosec

Alpine Linux edge package indexes · gosec · source: dl-cdn.alpinelinux.org

Fedora dnfverified · 92%
sudo dnf install gosec

Fedora Rawhide package metadata · gosec · source: dl.fedoraproject.org

Nixverified · 92%
nix profile install nixpkgs#gosec

nixpkgs package indexes · pkgs/by-name/go/gosec/package.nix · source: api.github.com

openSUSE zypperverified · 92%
sudo zypper install gosec

openSUSE Tumbleweed package metadata · gosec · source: download.opensuse.org

Windows

Scoopverified · 92%
scoop install main/gosec

Scoop official bucket manifest trees · bucket/gosec.json · source: api.github.com

overview

Package summary

Golang security checker

Commands and aliases

  • gosec

history

Project history and usage

gosec is the SecureGo project's static security scanner for Go source code, using AST, SSA, and taint-analysis rules to find common vulnerability patterns before code ships.

Project history

The GitHub repository was created on July 18, 2016. Its README describes gosec as a Go security checker that inspects source code by scanning Go AST and SSA representations, while SecureGo's tools page frames the project as a way to programmatically enforce Secure Go guidelines.

Over time the project expanded from pattern-style checks into a broader rule catalog. Official rule documentation groups findings by general secure coding, injection, filesystem permissions, crypto and protocol security, import blocklists, language/runtime safety, and taint analysis. The README also documents CWE mapping, SARIF output, GitHub Action usage, Go analysis integration, and configurable global and per-rule settings.

Adoption history

gosec became a standard Go security linter because it fits normal Go and CI workflows: go install for local use, a GitHub Action for repository scanning, SARIF output for GitHub code scanning, and package-manager distribution through apk, Homebrew, dnf, MacPorts, Nix, Scoop, and zypper according to the input package facts.

The project sits in the same practical lane as go vet and staticcheck but focuses on security-sensitive APIs and data flows. Its CII Best Practices badge, GitHub Action, Go analysis package, and package-manager coverage made it accessible both to individual Go developers and to teams wiring security checks into CI.

How it is used

The basic local workflow is gosec ./..., with options for JSON or SARIF reports, selected rule inclusion or exclusion, and a config.json file passed through -conf. CI workflows often run securego/gosec as an action and upload SARIF to GitHub code scanning.

gosec rules include hardcoded credentials, unchecked errors, unsafe usage, SQL and command injection patterns, archive/path traversal risks, TLS and crypto weaknesses, blocklisted imports, integer/slice issues, and taint-analysis checks for SQL injection, command injection, SSRF, XSS, log injection, SMTP injection, server-side template injection, unsafe deserialization, and open redirects.

Why package nerds care

For package maintainers, gosec is important because it is easy to add as a single CLI check across Go packages without adopting a SaaS scanner. It gives distro and CI users a reproducible local executable, machine-readable output, CWE mappings, and a documented config file.

Its package-manager footprint also matters: a security scanner being available from Homebrew, Linux distro channels, Nix, Scoop, and container/GitHub Action paths means the same scanner can be used by laptop developers, CI jobs, and release pipelines.

Timeline

  • 2016-07-18: GitHub repository created
  • 2020: SecureGo site documented gosec as a tool for programmatically enforcing Secure Go guidelines
  • v2 era: Module path and docs center on github.com/securego/gosec/v2
  • README era: GitHub Action, SARIF, Go analysis integration, and config-file workflows documented
  • Rule-docs era: Rule catalog organized across AST, SSA, and taint-analysis checks

Related projects

  • SecureGo guidelines provide the surrounding secure-coding project context.
  • GitHub code scanning consumes gosec SARIF output in documented workflows.
  • golang.org/x/tools/go/analysis is supported through gosec's analyzer integration.
  • Bazel nogo is named in the README as an integration target for the analyzer package.

security posture

Risk level: green

narrow executable package without higher-risk signals.

Risk classifier

green risk · low confidence · appliance

Why

  • narrow executable package without higher-risk signals

Signals

  • metadata:no-higher-risk-signals

Install behavior

  • No Homebrew post-install hook is recorded in formula metadata.
  • Homebrew bottle metadata is available for 6 platform targets.
  • Installs with 1 runtime dependencies.

Recommended review

Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.

local files

Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.

Configuration files

Config paths the tool may read or write during local use.

Unix
config.json

executables

Installed executables

CommandKindExposureNote
goseccliglobal executable

freshness

Version and freshness

These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.

page generated2026-07-08
manager version2.27.1
manager updated2026-06-01
local dataok
upstreamcurrent
latest detectedv2.27.1

https://github.com/securego/gosec

  • okNo freshness warnings were generated.

install metadata

Package metadata

Package keybrew:gosec
Version2.27.1
Package managerHomebrew
Package manager pagehttps://formulae.brew.sh/formula/gosec
Homepagehttps://securego.io/
Repositoryhttps://github.com/securego/gosec
Upstream docshttps://github.com/securego/gosec#readme
LicenseApache-2.0
Source archivehttps://github.com/securego/gosec/archive/refs/tags/v2.27.1.tar.gz
Last updated2026-06-01T19:35:38Z
Pulseupdated
Dependenciesgo
Bottleavailable (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux)
Homebrew post-installnot defined
Servicenone declared

registry facts

Source database details

Source DatabaseHomebrew formula API
Taphomebrew/core
Full Namegosec
Version Scheme0
Revision0
Head VersionHEAD
Bottle Stable Root URLhttps://ghcr.io/v2/homebrew/core
Deprecatedno
Disabledno
Keg Onlyno
URL Keys
  • head
  • stable

source database matches

Other package-manager records

Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.

Nix95%

gosec

nix profile install nixpkgs#gosec
  • normalized package name match
  • Matched by: Gosec
nixpkgs package indexes · api.github.com · nixpkgs package indexes: pkgs/by-name/go/gosec/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
apk95%

gosec 2.23.0-r3

Go source code static analyzer, focusing on security

https://github.com/securego/gosec

sudo apk add gosec
  • License: Apache-2.0
  • Architecture: x86_64
  • Source Package: gosec
  • 1 dependencies
  • 1 provides
  • normalized package name match
  • Matched by: Gosec
Alpine Linux edge package indexes · dl-cdn.alpinelinux.org · Alpine Linux edge package indexes: gosec from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz
dnf95%

gosec 2.27.1-1.fc45

Go security checker

https://github.com/securego/gosec

sudo dnf install gosec
  • License: Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND ISC AND MIT AND MPL-2.0
  • Category: Unspecified
  • Architecture: x86_64
  • Source Package: gosec
  • 3 dependencies
  • 2 provides
  • normalized package name match
  • Matched by: Gosec
Fedora Rawhide package metadata · dl.fedoraproject.org · Fedora Rawhide package metadata: gosec from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst
zypper95%

gosec 2.27.1-1.1

CLI tool to scan the Go AST and SSA code representations for security problems

https://github.com/securego/gosec

sudo zypper install gosec
  • License: Apache-2.0
  • Category: Development/Languages/Go
  • Architecture: x86_64
  • Source Package: gosec
  • 1 provides
  • normalized package name match
  • Matched by: Gosec
openSUSE Tumbleweed package metadata · download.opensuse.org · openSUSE Tumbleweed package metadata: gosec from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst
MacPorts95%

gosec

sudo port install gosec
  • normalized package name match
  • Matched by: Gosec
MacPorts ports tree · api.github.com · MacPorts ports tree: security/gosec/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1
Scoop95%

main/gosec

scoop install main/gosec
  • normalized package name match
  • Matched by: Gosec
Scoop official bucket manifest trees · api.github.com · Scoop official bucket manifest trees: bucket/gosec.json from https://api.github.com/repos/ScoopInstaller/Main/git/trees/master?recursive=1

source trail

Generated from repository data

This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.

Used sources

  • Geiger risk classifier
  • Nucleus package database
  • av.db category and tag curation
  • cross-ecosystem install command graph
  • curated configuration and credential file locations
  • curated package history
  • external package-manager database matches
  • package relationship graph
  • package version freshness
  • package-page enrichment