| name | security-scanning |
| description | Security scanning tools (gosec, govulncheck). Use when running security analysis. |
Security Scanning Skill
Security scanning tools and usage for Go.
When to Use
Use when performing security analysis or audits.
gosec - Static Security Analysis
Installation
go install github.com/securego/gosec/v2/cmd/gosec@latest
Usage
# Scan all packages
gosec ./...
# JSON output
gosec -fmt=json -out=results.json ./...
# Specific rules
gosec -include=G401,G501 ./...
Common Issues Detected
- G101: Hardcoded credentials
- G102: Bind to all interfaces
- G103: Unsafe block
- G104: Unhandled errors
- G201: SQL injection
- G202: SQL string concatenation
- G301: Poor file permissions
- G401: Weak cryptography (MD5, SHA1)
- G501: Blocklisted import (DES)
govulncheck - Vulnerability Scanner
Installation
go install golang.org/x/vuln/cmd/govulncheck@latest
Usage
# Scan for vulnerabilities
govulncheck ./...
# JSON output
govulncheck -json ./...
What It Checks
- Known vulnerabilities in dependencies
- Only reports vulnerabilities in code paths actually used
- Uses official Go vulnerability database
CI/CD Integration
# GitHub Actions
name: Security Scan
on: [push, pull_request]
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
- name: Run Gosec
run: |
go install github.com/securego/gosec/v2/cmd/gosec@latest
gosec ./...
- name: Run govulncheck
run: |
go install golang.org/x/vuln/cmd/govulncheck@latest
govulncheck ./...
Best Practices
- Run in CI/CD pipeline
- Address Critical/High issues first
- Review false positives
- Keep dependencies updated
- Scan regularly (weekly minimum)