goast logo

goast

DeprecatedDeprecated

Go AST (Abstract Syntax Tree) based static analysis tool with Rego.

Tutorials / Guides

  • goast screenshot

47 Alternatives for goast

aligncheck

Find inefficiently packed structs.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • Maintainedlinter

bodyclose

Checks whether HTTP response body is closed.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • Maintainedlinter

deadcode

Finds unused code.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • Maintainedlinter

dingo-hunter

Static analyser for finding deadlocks in Go.

  • DeprecatedDeprecated
  • DeprecatedGo
  • Deprecatedcli
  • Deprecatedlinter

dogsled

Finds assignments/declarations with too many blank identifiers.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • Maintainedlinter

dupl

Reports potentially duplicated code.

  • DeprecatedDeprecated
  • DeprecatedGo
  • Deprecatedcli
  • Deprecatedlinter

errcheck

Check that error return values are used.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • Maintainedlinter

errwrap

Wrap and fix Go errors with the new %w verb directive. This tool analyzes fmt.Errorf() calls and reports calls that contain a verb directive that is different than the new %w verb directive introduced in Go v1.13. It's also capable of rewriting calls to use the new %w wrap verb directive.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • Maintainedlinter

flen

Get info on length of functions in a Go package.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • Maintainedlinter

go/ast

Package ast declares the types used to represent syntax trees for Go packages.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • Maintainedlinter

go-consistent

Analyzer that helps you to make your Go programs more consistent.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • Maintainedlinter

go-critic

Go source code linter that maintains checks which are currently not implemented in other linters.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • Maintainedlinter

go tool vet --shadow

Reports variables that may have been unintentionally shadowed.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • Maintainedlinter

go vet

Examines Go source code and reports suspicious.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • Maintainedlinter

gochecknoglobals

Checks that no globals are present.

  • DeprecatedDeprecated
  • DeprecatedGo
  • Deprecatedcli
  • Deprecatedlinter

goconst

Finds repeated strings that could be replaced by a constant.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • Maintainedlinter

gocyclo

Calculate cyclomatic complexities of functions in Go source code.

  • DeprecatedDeprecated
  • DeprecatedGo
  • Deprecatedcli
  • Deprecatedlinter

gofmt -s

Checks if the code is properly formatted and could not be further simplified.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • MaintainedlinterMaintainedformatter

goimports

Checks missing or unreferenced package imports.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • Maintainedlinter

gokart

Golang security analysis with a focus on minimizing false positives. It is capable of tracing the source of variables and function arguments to determine whether input sources are safe.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • Maintainedlinter

GolangCI-Lint

Alternative to Go Meta Linter: GolangCI-Lint is a linters aggregator.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • Maintainedlinter

golint

Prints out coding style mistakes in Go source code.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • Maintainedlinter

goroutine-inspect

An interactive tool to analyze Golang goroutine dump.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • Maintainedlinter

gosec (gas)

Inspects source code for security problems by scanning the Go AST.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • Maintainedlinter

gotype

Syntactic and semantic analysis similar to the Go compiler.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • Maintainedlinter

govulncheck

Govulncheck reports known vulnerabilities that affect Go code. It uses static analysis of source code or a binary's symbol table to narrow down reports to only those that could affect the application. By default, govulncheck makes requests to the Go vulnerability database at https://vuln.go.dev. Requests to the vulnerability database contain only module paths, not code or other properties of your program.

  • MaintainedMaintained
  • MaintainedGo
  • MaintainedcliMaintainedservice
  • Maintainedlinter

ineffassign

Detect ineffectual assignments in Go code.

  • DeprecatedDeprecated
  • DeprecatedGo
  • Deprecatedcli
  • Deprecatedlinter

interfacer

Suggest narrower interfaces that can be used.

  • DeprecatedDeprecated
  • DeprecatedGo
  • Deprecatedcli
  • Deprecatedlinter

lll

Report long lines.

  • DeprecatedDeprecated
  • DeprecatedGo
  • Deprecatedcli
  • Deprecatedlinter

maligned

Detect structs that would take less memory if their fields were sorted.

  • DeprecatedDeprecated
  • DeprecatedGo
  • Deprecatedcli
  • Deprecatedlinter

misspell

Finds commonly misspelled English words.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • Maintainedlinter

nakedret

Finds naked returns.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • Maintainedlinter

nargs

Finds unused arguments in function declarations.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • Maintainedlinter

prealloc

Finds slice declarations that could potentially be preallocated.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • Maintainedlinter

Reviewdog

A tool for posting review comments from any linter in any code hosting service.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • Maintainedlinter

revive

Fast, configurable, extensible, flexible, and beautiful linter for Go. Drop-in replacement of golint.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • Maintainedlinter

safesql

Static analysis tool for Golang that protects against SQL injections.

  • DeprecatedDeprecated
  • DeprecatedGo
  • Deprecatedcli
  • Deprecatedlinter

shisho

A lightweight static code analyzer designed for developers and security teams. It allows you to analyze and transform source code with an intuitive DSL similar to sed, but for code.

  • DeprecatedDeprecated
  • DeprecatedGo
  • DeprecatedcliDeprecatedservice
  • Deprecatedlinter

staticcheck

Go static analysis that specialises in finding bugs, simplifying code and improving performance.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • Maintainedlinter

structcheck

Find unused struct fields.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • Maintainedlinter

structslop

Static analyzer for Go that recommends struct field rearrangements to provide for maximum space/allocation efficiency

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • MaintainedlinterMaintainedformatter

test

Show location of test failures from the stdlib testing module.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • Maintainedlinter

unconvert

Detect redundant type conversions.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • Maintainedlinter

unparam

Find unused function parameters.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • Maintainedlinter

varcheck

Find unused global variables and constants.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • Maintainedlinter

wsl

Enforces empty lines at the right places.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • Maintainedlinter

statsviz

Instant live visualization of your Go application runtime statistics in the browser. It plots heap usage, MSpans/MCaches, Object counts, Goroutines and GC/CPU fraction.

  • MaintainedMaintained
  • MaintainedGo
  • Maintainedcli
  • Maintainedlinter

26 Multi-Language Tools

ApplicationInspector

Creates reports of over 400 rule patterns for feature detection (e.g. the use of cryptography or version control in apps).

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

autocorrect

A linter and formatter to help you to improve copywriting, correct spaces, words, punctuations between CJK (Chinese, Japanese, Korean).

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • MaintainedlinterMaintainedformatter

Bearer

Open-Source static code analysis tool to discover, filter and prioritize security risks and vulnerabilities leading to sensitive data exposures (PII, PHI, PD). Highly configurable and easily extensible, built for security and engineering teams.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

Betterscan CE

Sponsor

Checks your code and infra (various Git repositories supported, cloud stacks, CLI, Web Interface platform, integrationss available) for security and quality issues. Code Scanning/SAST/Linting using many tools/Scanners deduplicated with One Report (AI optional).

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

callGraph

Statically generates a call graph image and displays it on screen.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

Checkmarx CxSAST

Commercial Static Code Analysis which doesn't require pre-compilation.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

DerScanner

Multi-language Static Application Security Testing (SAST) platform that detects critical vulnerabilities, including hardcoded secrets, weak cryptography, backdoors, SQL injections, insecure configurations, etc.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • MaintainedcliMaintainedservice
  • Maintainedlinter

emerge

Emerge is a source code and dependency visualizer that can be used to gather insights about source code structure, metrics, dependencies and complexity of software projects. After scanning the source code of a project it provides you an interactive web interface to explore and analyze your project by using graph structures.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • MaintainedcliMaintainedservice
  • Maintainedlinter

goone

Finds N+1 queries (SQL calls in a for loop) in go code

  • DeprecatedDeprecated
  • DeprecatedMulti-Language
  • Deprecatedcli
  • Deprecatedlinter

Hound CI

Comments on style violations in GitHub pull requests. Supports Coffeescript, Go, HAML, JavaScript, Ruby, SCSS and Swift.

  • DeprecatedDeprecated
  • DeprecatedMulti-Language
  • Deprecatedcli
  • Deprecatedlinter

lizard

Lizard is an extensible Cyclomatic Complexity Analyzer for many programming languages including C/C++ (doesn't require all the header files or Java imports). It also does copy-paste detection (code clone detection/code duplicate detection) and many other forms of static code analysis. Counts lines of code without comments, CCN (cyclomatic complexity number), token count of functions, parameter count of functions.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

Mega-Linter

Mega-Linter can handle any type of project thanks to its 70+ embedded Linters, its advanced reporting, runnable on any CI system or locally, with assisted installation and configuration, able to apply formatting and fixes

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

Precaution

Precaution is a static analysis security tool (SAST) designed to find potentially critical vulnerabilities in source code prior to production. It is available as a CLI, GitHub Action, and GitHub App.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • MaintainedcliMaintainedservice
  • Maintainedlinter

Semgrep

Sponsor

A fast, open-source, static analysis tool for finding bugs and enforcing code standards at editor, commit, and CI time. Its rules look like the code you already write; no abstract syntax trees or regex wrestling. Supports 17+ languages.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • MaintainedcliMaintainedservice
  • Maintainedlinter

ShiftLeft Scan

Scan is a free open-source DevSecOps platform for detecting security issues in source code and dependencies. It supports a broad range of languages and CI/CD pipelines.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • MaintainedcliMaintainedservice
  • Maintainedlinter

Sigrid

Sigrid helps you to improve your software by measuring your system's code quality, and then compares the results against a benchmark of thousands of industry systems to give you concrete advice on areas where you can improve.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • MaintainedcliMaintainedservice
  • Maintainedlinter

SonarLint

SonarLint is a free IDE extension available for IntelliJ, VS Code, Visual Studio, and Eclipse, to find and fix coding issues in real-time, flagging issues as you code, just like a spell-checker. More than a linter, it also delivers rich contextual guidance to help developers understand why there is an issue, assess the risk, and educate them on how to fix it.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

sqlvet

Performs static analysis on raw SQL queries in your Go code base to surface potential runtime errors. It checks for SQL syntax error, identifies unsafe queries that could potentially lead to SQL injections makes sure column count matches value count in INSERT statements and validates table- and column names.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

StaticReviewer

Static Reviewer executes code checks according to the most relevant Secure Coding Standards, OWASP, CWE, CVE, CVSS, MISRA, CERT, for 40+ programming languages, using 1000+ built-in validation rules for Security, Deadcode & Best Practices Available a module for Software Composition Analysis (SCA) to find vulnerabilities in open source and third party libraries.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

Super-Linter

Combination of multiple linters to install as a GitHub Action.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

Svace

Static code analysis tool for Java,C,C++,C#,Go.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

TencentCodeAnalysis

Tencent Cloud Code Analysis (TCA for short, code-named CodeDog inside the company early) is a comprehensive platform for code analysis and issue tracking. TCA consist of three components, server, web and client. It integrates of a number of self-developed tools, and also supports dynamic integration of code analysis tools in various programming languages.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • MaintainedcliMaintainedservice
  • Maintainedlinter

todocheck

Linter for integrating annotated TODOs with your issue trackers

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

trunk

Modern repositories include many technologies, each with its own set of linters. With 30+ linters and counting, Trunk makes it dead-simple to identify, install, configure, and run the right linters, static analyzers, and formatters for all your repos.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • MaintainedlinterMaintainedformatter

CASR

Crash Analysis and Severity Report.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • Maintainedlinter

Sydr

Continuous Hybrid Fuzzing and Dynamic Analysis for Security Development Lifecycle.

  • MaintainedMaintained
  • MaintainedMulti-Language
  • Maintainedcli
  • MaintainedlinterMaintainedfuzzer

Our Sponsors

This website is completely open source. To fund our work, we fully rely on sponsors. Thanks to them, we can keep the site free for everybody. Please check out their offers below.

  • BugProve
  • Pixee
  • semgrep
  • Offensive 360
  • BetterScan