Question 1

How do I suppress a false positive in gosec?

Accepted Answer

Use // #nosec comments on the line with the issue, optionally with rule IDs and a justification (e.g., // #nosec G402 -- This is a false positive). You can also use //gosec:disable directives for similar suppression.

Question 2

gosec vs govulncheck: which one should I use?

Accepted Answer

gosec focuses on static code analysis for vulnerabilities in your source code, like injection flaws. govulncheck scans for known vulnerabilities in dependencies. Use both together for comprehensive coverage—gosec for code issues, govulncheck for dependency risks.

Question 3

How to integrate gosec into GitHub Actions?

Accepted Answer

Use the securego/gosec GitHub Action in your workflow YAML. Configure it to run on pushes/pull requests, set args like -fmt sarif for output, and upload results with github/codeql-action/upload-sarif for code scanning integration.

Question 4

Does gosec scan Go test files?

Accepted Answer

By default, gosec ignores test files, but you can enable scanning with the -tests flag. This is useful for catching security issues in test code that might simulate production scenarios or contain sensitive logic.

Question 5

Can gosec automatically fix vulnerabilities?

Accepted Answer

gosec can suggest fixes using AI APIs, but it doesn't automatically apply them. You need to enable AI features with an API key and provider, then review and implement the suggestions manually, which adds external dependency and cost.

Question 6

What is the performance impact of running gosec on a large codebase?

Accepted Answer

gosec can be slow on large projects due to SSA analysis and dependency resolution, especially with go list commands for Go version detection. Use path exclusions and rule selection to limit scope, and run it in CI/CD rather than locally for efficiency.

Question 7

How to exclude specific directories from gosec scanning?

Accepted Answer

Use the -exclude-dir flag with directory names (e.g., gosec -exclude-dir=vendor ./...), or configure path-based exclusions in a JSON config file with regex patterns for more granular control over different code sections.

Golang Security Checker

What is Golang Security Checker?

Overview

Use Cases

Best For

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions