{"id":49393000,"url":"https://github.com/rahul-aut-ind/go-analyzer","last_synced_at":"2026-04-28T14:11:38.800Z","repository":{"id":351742644,"uuid":"1210549226","full_name":"rahul-aut-ind/go-analyzer","owner":"rahul-aut-ind","description":"analyzes any Go codebase and produces useful reports","archived":false,"fork":false,"pushed_at":"2026-04-16T09:46:14.000Z","size":123,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-16T10:34:19.777Z","etag":null,"topics":["cli","code-quality","devto","go","golang","golang-cli","golang-tools","linter","security","static-analysis"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rahul-aut-ind.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-04-14T14:22:09.000Z","updated_at":"2026-04-16T09:44:55.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/rahul-aut-ind/go-analyzer","commit_stats":null,"previous_names":["rahul-aut-ind/go-analyzer"],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/rahul-aut-ind/go-analyzer","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rahul-aut-ind%2Fgo-analyzer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rahul-aut-ind%2Fgo-analyzer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rahul-aut-ind%2Fgo-analyzer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rahul-aut-ind%2Fgo-analyzer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rahul-aut-ind","download_url":"https://codeload.github.com/rahul-aut-ind/go-analyzer/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rahul-aut-ind%2Fgo-analyzer/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32383867,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-28T11:25:28.583Z","status":"ssl_error","status_checked_at":"2026-04-28T11:25:05.435Z","response_time":56,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cli","code-quality","devto","go","golang","golang-cli","golang-tools","linter","security","static-analysis"],"created_at":"2026-04-28T14:11:37.649Z","updated_at":"2026-04-28T14:11:38.788Z","avatar_url":"https://github.com/rahul-aut-ind.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# go-analyzer — a static analysis CLI for Go codebases\n\n---\n\n[![Go Version](https://img.shields.io/badge/go-1.22+-blue)](https://golang.org/dl/)\n[![License](https://img.shields.io/badge/license-MIT-green)](LICENSE)\n[![CI](https://github.com/rahul-aut-ind/go-analyzer/actions/workflows/ci.yml/badge.svg)](https://github.com/rahul-aut-ind/go-analyzer/actions/workflows/ci.yml)\n[![pkg.go.dev](https://pkg.go.dev/badge/github.com/rahul-aut-ind/go-analyzer)](https://pkg.go.dev/github.com/rahul-aut-ind/go-analyzer)\n\n---\n\n## Features\n\n- **Race condition detection** — identifies goroutine data races and synchronization mistakes (RACE001–RACE004)\n- **Performance antipatterns** — flags allocation hotspots, regex recompilation, and costly value copies (PERF001–PERF006)\n- **Security vulnerabilities** — detects hardcoded secrets, weak crypto, unsafe TLS, and SQL injection patterns (SEC001–SEC006)\n- **Dependency health \u0026 CVE checks** — reports outdated modules and known vulnerabilities via govulncheck (DEP001–DEP002)\n- **Test coverage analysis** — surfaces uncovered exported functions and packages below the configured minimum (COV001–COV002)\n- **Code complexity metrics** — measures cyclomatic complexity, nesting depth, parameter count, and file size (CMPLX001–CMPLX005)\n- **Lint issues** — enforces godoc, error handling, panic discipline, and consistency rules plus `go vet` (LINT001–LINT006 + go vet)\n- **Dead code detection** — finds unused functions, unreachable statements, and orphaned exported constants (DEAD001–DEAD003)\n\n---\n\n## Installation\n\n```bash\ngo install github.com/rahul-aut-ind/go-analyzer@latest\n```\n\nRequires Go 1.22 or later. The `go-analyzer` binary is placed in `$GOPATH/bin` (or `$GOBIN`).\n\n---\n\n## Quick Start\n\n```bash\n# Scan current directory\ngo-analyzer scan .\n\n# Scan with HTML report\ngo-analyzer scan --format=html .\n\n# Fail CI on critical/high findings\ngo-analyzer scan --fail-on=high .\n\n# Initialize config\ngo-analyzer init\n\n# List all rules\ngo-analyzer rules list\n```\n\n---\n\n## CLI Reference\n\n### `scan [dir]`\n\nAnalyze a Go project directory. Defaults to `.` when `dir` is omitted.\n\n```\ngo-analyzer scan [flags] [dir]\n```\n\n| Flag | Type | Default | Description |\n|---|---|---|---|\n| `--only` | string | *(all)* | Comma-separated list of analyzer names to run exclusively (e.g. `race,lint`) |\n| `--skip` | string | *(none)* | Comma-separated list of analyzer names to skip |\n| `--format` | string | `json,markdown` | Comma-separated output formats: `json`, `markdown`, `html` |\n| `--output` | string | `.goanalyzer/reports` | Directory where report files are written |\n| `--fail-on` | string | *(off)* | Exit with code 1 when findings exist at or above this severity: `critical`, `high`, `medium`, `low` |\n| `--config` | string | *(auto-detect)* | Explicit path to `.goanalyzer.yaml` |\n| `--no-network` | bool | `false` | Skip all checks that require internet access (CVE lookups, latest-version checks) |\n| `--diff` | bool | `false` | Compare with the previous run and report only new findings |\n\n### `rules list`\n\nPrint a table of every rule ID, severity, analyzer, and one-line description.\n\n```\ngo-analyzer rules list\n```\n\n### `rules describe \u003cRULE_ID\u003e`\n\nShow the full description, a bad-code example, and a suggested fix for a single rule.\n\n```\ngo-analyzer rules describe RACE001\n```\n\n### `init`\n\nGenerate a `.goanalyzer.yaml` in the current directory pre-populated with all default values. Fails if the file already exists.\n\n```\ngo-analyzer init\n```\n\n### `version`\n\nPrint the binary version, commit hash, and build date.\n\n```\ngo-analyzer version\n```\n\n---\n\n## Config File Reference\n\n`go-analyzer` looks for `.goanalyzer.yaml` in the working directory unless overridden with `--config`. Run `go-analyzer init` to generate a starter file.\n\n```yaml\n# go-analyzer configuration file\n# Generated by: go-analyzer init\n\nscan:\n  exclude: []\n\nthresholds:\n  cyclomaticComplexity: 10\n  functionLength: 50\n  coverageMinimum: 80.0\n\nrules:\n  disable: []\n\ndependencies:\n  licensePolicy:\n    deny: []\n\nreport:\n  outputDir: .goanalyzer/reports\n  formats:\n    - html\n    - markdown\n  historyLimit: 5\n```\n\n### Field reference\n\n| Key | Type | Default | Description |\n|---|---|---|---|\n| `scan.exclude` | `[]string` | `[]` | Path patterns (glob) to exclude from analysis |\n| `thresholds.cyclomaticComplexity` | `int` | `10` | Maximum cyclomatic complexity per function before CMPLX001 fires |\n| `thresholds.functionLength` | `int` | `50` | Maximum function body line count before CMPLX002 fires |\n| `thresholds.coverageMinimum` | `float64` | `80.0` | Minimum required test coverage percentage (0–100); triggers COV002 below this value |\n| `rules.disable` | `[]string` | `[]` | Rule IDs to suppress globally (e.g. `[\"LINT004\", \"PERF006\"]`) |\n| `dependencies.licensePolicy.deny` | `[]string` | `[]` | SPDX license identifiers that are not permitted in dependencies |\n| `report.outputDir` | `string` | `\".goanalyzer/reports\"` | Directory where generated report files are saved |\n| `report.formats` | `[]string` | `[\"html\", \"markdown\"]` | Report formats to generate on each scan (`html`, `markdown`) |\n| `report.historyLimit` | `int` | `5` | Number of historical coverage snapshots to retain on disk |\n\n---\n\n## Rule Catalog\n\n### Race Conditions\n\n| Rule ID | Severity | Description |\n|---|---|---|\n| RACE001 | high | Loop variable captured by goroutine closure |\n| RACE002 | high | Map written in goroutine without mutex |\n| RACE003 | high | Non-atomic increment of shared int in goroutine |\n| RACE004 | medium | `sync.WaitGroup.Add` called inside goroutine |\n\n### Performance\n\n| Rule ID | Severity | Description |\n|---|---|---|\n| PERF001 | medium | String concatenation with `+` inside loop |\n| PERF002 | medium | `regexp.Compile`/`MustCompile` inside function body |\n| PERF003 | low | `defer` statement inside `for` loop |\n| PERF004 | low | `append` in loop without pre-allocation |\n| PERF005 | low | Large struct passed by value |\n| PERF006 | info | `fmt.Sprintf` used for single-variable to string conversion |\n\n### Security\n\n| Rule ID | Severity | Description |\n|---|---|---|\n| SEC001 | critical | `tls.Config` with `InsecureSkipVerify: true` |\n| SEC002 | high | Use of weak hash algorithm (`md5`/`sha1`) |\n| SEC003 | high | `exec.Command` called with a variable argument |\n| SEC004 | critical | Hardcoded secret literal in assignment |\n| SEC005 | high | SQL string built with `+` containing a variable |\n| SEC006 | medium | `math/rand` used in a security-sensitive context |\n\n### Dependency Health\n\n| Rule ID | Severity | Description |\n|---|---|---|\n| DEP001 | medium | Dependency is behind latest version |\n| DEP002 | critical | Dependency has a known CVE |\n\n### Test Coverage\n\n| Rule ID | Severity | Description |\n|---|---|---|\n| COV001 | medium | Exported function has 0% test coverage |\n| COV002 | high | Package coverage is below the configured minimum |\n\n### Code Complexity\n\n| Rule ID | Severity | Description |\n|---|---|---|\n| CMPLX001 | medium | Cyclomatic complexity exceeds threshold (default 10) |\n| CMPLX002 | low | Function body exceeds line-count threshold (default 50) |\n| CMPLX003 | medium | Nesting depth exceeds 4 levels |\n| CMPLX004 | low | Function has more than 5 parameters |\n| CMPLX005 | info | File exceeds 500 lines |\n\n### Lint\n\n| Rule ID | Severity | Description |\n|---|---|---|\n| LINT001 | low | Exported symbol missing godoc comment |\n| LINT002 | medium | Error return value explicitly ignored with `_` |\n| LINT003 | high | `panic()` called in a non-main, non-test package |\n| LINT004 | info | `init()` function present |\n| LINT005 | low | Inconsistent receiver names on the same type |\n| LINT006 | info | Magic number literal used outside a `const` block |\n| VET001 | medium | Diagnostic reported by `go vet` |\n\n### Dead Code\n\n| Rule ID | Severity | Description |\n|---|---|---|\n| DEAD001 | low | Unexported function is never called within its package |\n| DEAD002 | medium | Unreachable code follows a `return` or `panic` statement |\n| DEAD003 | info | Unused exported constant |\n\n---\n\n## Contributing\n\nContributions are welcome. Please follow the workflow below:\n\n1. **Fork** the repository and create a feature branch (`git checkout -b feat/my-improvement`).\n2. Write code and **add tests** for any new or changed behaviour.\n3. Ensure the full test suite passes: `go test ./...`\n4. Verify formatting and static checks: `gofmt -l .` and `go vet ./...`\n5. Open a **pull request** against `main` with a clear description of the change.\n\n### Code style\n\n- All Go source must be formatted with `gofmt` (enforced in CI).\n- Run `go vet ./...` before opening a PR; zero diagnostics are expected.\n- Every exported symbol (function, type, constant, variable) **must** have a godoc comment.\n- All packages under `internal/` must maintain a **minimum of 70% test coverage**.\n\n---\n\n## License\n\nMIT License\n\nCopyright (c) 2026 rahul-aut-ind\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frahul-aut-ind%2Fgo-analyzer","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frahul-aut-ind%2Fgo-analyzer","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frahul-aut-ind%2Fgo-analyzer/lists"}