# Install gosec with Homebrew, apk, dnf, MacPorts, Nix, scoop, zypper

Golang security checker. Version 2.27.1 via Homebrew; verified 2026-06-01.

## Install

```sh
sudo av install brew:gosec
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install gosec
```

  Evidence: local Homebrew formula metadata

- MacPorts (94%):

```sh
sudo port install gosec
```

  Evidence: MacPorts ports tree: security/gosec/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1

### Linux

- apk (92%):

```sh
sudo apk add gosec
```

  Evidence: Alpine Linux edge package indexes: gosec from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz

- dnf (92%):

```sh
sudo dnf install gosec
```

  Evidence: Fedora Rawhide package metadata: gosec from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst

- Nix (92%):

```sh
nix profile install nixpkgs#gosec
```

  Evidence: nixpkgs package indexes: pkgs/by-name/go/gosec/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

- zypper (92%):

```sh
sudo zypper install gosec
```

  Evidence: openSUSE Tumbleweed package metadata: gosec from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst

### Windows

- Scoop (92%):

```sh
scoop install main/gosec
```

  Evidence: Scoop official bucket manifest trees: bucket/gosec.json from https://api.github.com/repos/ScoopInstaller/Main/git/trees/master?recursive=1

## Package facts

- **Package key:** brew:gosec
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/gosec>
- **Version:** 2.27.1
- **Source summary:** Golang security checker
- **Homepage:** <https://securego.io/>
- **Repository:** <https://github.com/securego/gosec>
- **Upstream docs:** <https://github.com/securego/gosec#readme>
- **License:** Apache-2.0
- **Source archive:** <https://github.com/securego/gosec/archive/refs/tags/v2.27.1.tar.gz>
- **Last updated:** 2026-06-01T19:35:38Z
- **Generated:** 2026-07-08T07:18:31+00:00

## Executables

- gosec (cli)
- gosec (alias)

## Dependencies

- go

## Install behavior

- Post-install hook: not defined
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 2.27.1
- Package-manager updated: 2026-06-01
- Local data: ok
- Upstream repository: https://github.com/securego/gosec
- Upstream latest detected: v2.27.1 (current)
## Project history and usage

gosec is the SecureGo project's static security scanner for Go source code, using AST, SSA, and taint-analysis rules to find common vulnerability patterns before code ships.

### Project history

The GitHub repository was created on July 18, 2016. Its README describes gosec as a Go security checker that inspects source code by scanning Go AST and SSA representations, while SecureGo's tools page frames the project as a way to programmatically enforce Secure Go guidelines.

Over time the project expanded from pattern-style checks into a broader rule catalog. Official rule documentation groups findings by general secure coding, injection, filesystem permissions, crypto and protocol security, import blocklists, language/runtime safety, and taint analysis. The README also documents CWE mapping, SARIF output, GitHub Action usage, Go analysis integration, and configurable global and per-rule settings.

### Adoption history

gosec became a standard Go security linter because it fits normal Go and CI workflows: go install for local use, a GitHub Action for repository scanning, SARIF output for GitHub code scanning, and package-manager distribution through apk, Homebrew, dnf, MacPorts, Nix, Scoop, and zypper according to the input package facts.

The project sits in the same practical lane as go vet and staticcheck but focuses on security-sensitive APIs and data flows. Its CII Best Practices badge, GitHub Action, Go analysis package, and package-manager coverage made it accessible both to individual Go developers and to teams wiring security checks into CI.

### How it is used

The basic local workflow is gosec ./..., with options for JSON or SARIF reports, selected rule inclusion or exclusion, and a config.json file passed through -conf. CI workflows often run securego/gosec as an action and upload SARIF to GitHub code scanning.

gosec rules include hardcoded credentials, unchecked errors, unsafe usage, SQL and command injection patterns, archive/path traversal risks, TLS and crypto weaknesses, blocklisted imports, integer/slice issues, and taint-analysis checks for SQL injection, command injection, SSRF, XSS, log injection, SMTP injection, server-side template injection, unsafe deserialization, and open redirects.

### Why package nerds care

For package maintainers, gosec is important because it is easy to add as a single CLI check across Go packages without adopting a SaaS scanner. It gives distro and CI users a reproducible local executable, machine-readable output, CWE mappings, and a documented config file.

Its package-manager footprint also matters: a security scanner being available from Homebrew, Linux distro channels, Nix, Scoop, and container/GitHub Action paths means the same scanner can be used by laptop developers, CI jobs, and release pipelines.

### Timeline

- 2016-07-18: GitHub repository created
- 2020: SecureGo site documented gosec as a tool for programmatically enforcing Secure Go guidelines
- v2 era: Module path and docs center on github.com/securego/gosec/v2
- README era: GitHub Action, SARIF, Go analysis integration, and config-file workflows documented
- Rule-docs era: Rule catalog organized across AST, SSA, and taint-analysis checks

### Related projects

- SecureGo guidelines provide the surrounding secure-coding project context.
- GitHub code scanning consumes gosec SARIF output in documented workflows.
- golang.org/x/tools/go/analysis is supported through gosec's analyzer integration.
- Bazel nogo is named in the README as an integration target for the analyzer package.

### Sources

- <https://github.com/marketplace/actions/gosec-security-checker>
- <https://github.com/securego/gosec>
- <https://raw.githubusercontent.com/securego/gosec/master/README.md>
- <https://raw.githubusercontent.com/securego/gosec/master/RULES.md>
- <https://securego.io/docs/tools>


## Security Notes

narrow executable package without higher-risk signals.

- **Geiger risk:** green / low
- narrow executable package without higher-risk signals


## Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.


## Configuration files

- Unix: config.json
## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** gosec
- **Version Scheme:** 0
- **Revision:** 0
- **Head Version:** HEAD
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** head, stable

## Other Package-Manager Records

- Nix - gosec: normalized package name match | nixpkgs package indexes: pkgs/by-name/go/gosec/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
- apk - gosec - 2.23.0-r3: normalized package name match | Alpine Linux edge package indexes: gosec from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz | Go source code static analyzer, focusing on security | https://github.com/securego/gosec
- dnf - gosec - 2.27.1-1.fc45: normalized package name match | Fedora Rawhide package metadata: gosec from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst | Go security checker | https://github.com/securego/gosec
- zypper - gosec - 2.27.1-1.1: normalized package name match | openSUSE Tumbleweed package metadata: gosec from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst | CLI tool to scan the Go AST and SSA code representations for security problems | https://github.com/securego/gosec
- MacPorts - gosec: normalized package name match | MacPorts ports tree: security/gosec/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1
- Scoop - main/gosec: normalized package name match | Scoop official bucket manifest trees: bucket/gosec.json from https://api.github.com/repos/ScoopInstaller/Main/git/trees/master?recursive=1


## Related links

- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Developer build packages](https://www.automicvault.com/pkg/developer-build-tools/) - Matched build, compiler, generator, or developer workflow metadata.
- [Language runtime packages](https://www.automicvault.com/pkg/language-runtime-packages/) - Matched language runtime, compiler, or interpreter metadata.
- [Networking and protocol packages](https://www.automicvault.com/pkg/networking-protocol-tools/) - Matched network, protocol, or remote-service metadata.
- [go](https://www.automicvault.com/pkg/brew/go/) - Runtime dependency declared by Homebrew.
- [xk6](https://www.automicvault.com/pkg/brew/xk6/) - Popular package that depends on this formula.
- [bandit](https://www.automicvault.com/pkg/brew/bandit/) - Shares av.db curated category or tags: cli, security, static-analysis.
- [caracal](https://www.automicvault.com/pkg/brew/caracal/) - Shares av.db curated category or tags: cli, security, static-analysis.
- [cargo-geiger](https://www.automicvault.com/pkg/brew/cargo-geiger/) - Shares av.db curated category or tags: cli, security, static-analysis.
- [flawfinder](https://www.automicvault.com/pkg/brew/flawfinder/) - Shares av.db curated category or tags: cli, security, static-analysis.
- [joern](https://www.automicvault.com/pkg/brew/joern/) - Shares av.db curated category or tags: cli, security, static-analysis.
- [noir](https://www.automicvault.com/pkg/brew/noir/) - Shares av.db curated category or tags: cli, sast, security, static-analysis.
- [tfsec](https://www.automicvault.com/pkg/brew/tfsec/) - Shares av.db curated category or tags: cli, security, static-analysis.
- [ghalint](https://www.automicvault.com/pkg/brew/ghalint/) - Shares av.db curated category or tags: cli, security, static-analysis.

## Combined YAML source

View the package source record on GitHub. [combined/gosec.yml](https://github.com/automic-vault/db/blob/main/combined/gosec.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated configuration and credential file locations
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
