https://github.com/rahul-aut-ind/go-analyzer
analyzes any Go codebase and produces useful reports
https://github.com/rahul-aut-ind/go-analyzer
cli code-quality devto go golang golang-cli golang-tools linter security static-analysis
Last synced: 3 months ago
JSON representation
analyzes any Go codebase and produces useful reports
- Host: GitHub
- URL: https://github.com/rahul-aut-ind/go-analyzer
- Owner: rahul-aut-ind
- License: mit
- Created: 2026-04-14T14:22:09.000Z (3 months ago)
- Default Branch: main
- Last Pushed: 2026-04-16T09:46:14.000Z (3 months ago)
- Last Synced: 2026-04-16T10:34:19.777Z (3 months ago)
- Topics: cli, code-quality, devto, go, golang, golang-cli, golang-tools, linter, security, static-analysis
- Language: Go
- Homepage:
- Size: 120 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- License: LICENSE
- Codeowners: .github/CODEOWNERS
- Security: SECURITY.md
Awesome Lists containing this project
README
# go-analyzer — a static analysis CLI for Go codebases
---
[](https://golang.org/dl/)
[](LICENSE)
[](https://github.com/rahul-aut-ind/go-analyzer/actions/workflows/ci.yml)
[](https://pkg.go.dev/github.com/rahul-aut-ind/go-analyzer)
---
## Features
- **Race condition detection** — identifies goroutine data races and synchronization mistakes (RACE001–RACE004)
- **Performance antipatterns** — flags allocation hotspots, regex recompilation, and costly value copies (PERF001–PERF006)
- **Security vulnerabilities** — detects hardcoded secrets, weak crypto, unsafe TLS, and SQL injection patterns (SEC001–SEC006)
- **Dependency health & CVE checks** — reports outdated modules and known vulnerabilities via govulncheck (DEP001–DEP002)
- **Test coverage analysis** — surfaces uncovered exported functions and packages below the configured minimum (COV001–COV002)
- **Code complexity metrics** — measures cyclomatic complexity, nesting depth, parameter count, and file size (CMPLX001–CMPLX005)
- **Lint issues** — enforces godoc, error handling, panic discipline, and consistency rules plus `go vet` (LINT001–LINT006 + go vet)
- **Dead code detection** — finds unused functions, unreachable statements, and orphaned exported constants (DEAD001–DEAD003)
---
## Installation
```bash
go install github.com/rahul-aut-ind/go-analyzer@latest
```
Requires Go 1.22 or later. The `go-analyzer` binary is placed in `$GOPATH/bin` (or `$GOBIN`).
---
## Quick Start
```bash
# Scan current directory
go-analyzer scan .
# Scan with HTML report
go-analyzer scan --format=html .
# Fail CI on critical/high findings
go-analyzer scan --fail-on=high .
# Initialize config
go-analyzer init
# List all rules
go-analyzer rules list
```
---
## CLI Reference
### `scan [dir]`
Analyze a Go project directory. Defaults to `.` when `dir` is omitted.
```
go-analyzer scan [flags] [dir]
```
| Flag | Type | Default | Description |
|---|---|---|---|
| `--only` | string | *(all)* | Comma-separated list of analyzer names to run exclusively (e.g. `race,lint`) |
| `--skip` | string | *(none)* | Comma-separated list of analyzer names to skip |
| `--format` | string | `json,markdown` | Comma-separated output formats: `json`, `markdown`, `html` |
| `--output` | string | `.goanalyzer/reports` | Directory where report files are written |
| `--fail-on` | string | *(off)* | Exit with code 1 when findings exist at or above this severity: `critical`, `high`, `medium`, `low` |
| `--config` | string | *(auto-detect)* | Explicit path to `.goanalyzer.yaml` |
| `--no-network` | bool | `false` | Skip all checks that require internet access (CVE lookups, latest-version checks) |
| `--diff` | bool | `false` | Compare with the previous run and report only new findings |
### `rules list`
Print a table of every rule ID, severity, analyzer, and one-line description.
```
go-analyzer rules list
```
### `rules describe `
Show the full description, a bad-code example, and a suggested fix for a single rule.
```
go-analyzer rules describe RACE001
```
### `init`
Generate a `.goanalyzer.yaml` in the current directory pre-populated with all default values. Fails if the file already exists.
```
go-analyzer init
```
### `version`
Print the binary version, commit hash, and build date.
```
go-analyzer version
```
---
## Config File Reference
`go-analyzer` looks for `.goanalyzer.yaml` in the working directory unless overridden with `--config`. Run `go-analyzer init` to generate a starter file.
```yaml
# go-analyzer configuration file
# Generated by: go-analyzer init
scan:
exclude: []
thresholds:
cyclomaticComplexity: 10
functionLength: 50
coverageMinimum: 80.0
rules:
disable: []
dependencies:
licensePolicy:
deny: []
report:
outputDir: .goanalyzer/reports
formats:
- html
- markdown
historyLimit: 5
```
### Field reference
| Key | Type | Default | Description |
|---|---|---|---|
| `scan.exclude` | `[]string` | `[]` | Path patterns (glob) to exclude from analysis |
| `thresholds.cyclomaticComplexity` | `int` | `10` | Maximum cyclomatic complexity per function before CMPLX001 fires |
| `thresholds.functionLength` | `int` | `50` | Maximum function body line count before CMPLX002 fires |
| `thresholds.coverageMinimum` | `float64` | `80.0` | Minimum required test coverage percentage (0–100); triggers COV002 below this value |
| `rules.disable` | `[]string` | `[]` | Rule IDs to suppress globally (e.g. `["LINT004", "PERF006"]`) |
| `dependencies.licensePolicy.deny` | `[]string` | `[]` | SPDX license identifiers that are not permitted in dependencies |
| `report.outputDir` | `string` | `".goanalyzer/reports"` | Directory where generated report files are saved |
| `report.formats` | `[]string` | `["html", "markdown"]` | Report formats to generate on each scan (`html`, `markdown`) |
| `report.historyLimit` | `int` | `5` | Number of historical coverage snapshots to retain on disk |
---
## Rule Catalog
### Race Conditions
| Rule ID | Severity | Description |
|---|---|---|
| RACE001 | high | Loop variable captured by goroutine closure |
| RACE002 | high | Map written in goroutine without mutex |
| RACE003 | high | Non-atomic increment of shared int in goroutine |
| RACE004 | medium | `sync.WaitGroup.Add` called inside goroutine |
### Performance
| Rule ID | Severity | Description |
|---|---|---|
| PERF001 | medium | String concatenation with `+` inside loop |
| PERF002 | medium | `regexp.Compile`/`MustCompile` inside function body |
| PERF003 | low | `defer` statement inside `for` loop |
| PERF004 | low | `append` in loop without pre-allocation |
| PERF005 | low | Large struct passed by value |
| PERF006 | info | `fmt.Sprintf` used for single-variable to string conversion |
### Security
| Rule ID | Severity | Description |
|---|---|---|
| SEC001 | critical | `tls.Config` with `InsecureSkipVerify: true` |
| SEC002 | high | Use of weak hash algorithm (`md5`/`sha1`) |
| SEC003 | high | `exec.Command` called with a variable argument |
| SEC004 | critical | Hardcoded secret literal in assignment |
| SEC005 | high | SQL string built with `+` containing a variable |
| SEC006 | medium | `math/rand` used in a security-sensitive context |
### Dependency Health
| Rule ID | Severity | Description |
|---|---|---|
| DEP001 | medium | Dependency is behind latest version |
| DEP002 | critical | Dependency has a known CVE |
### Test Coverage
| Rule ID | Severity | Description |
|---|---|---|
| COV001 | medium | Exported function has 0% test coverage |
| COV002 | high | Package coverage is below the configured minimum |
### Code Complexity
| Rule ID | Severity | Description |
|---|---|---|
| CMPLX001 | medium | Cyclomatic complexity exceeds threshold (default 10) |
| CMPLX002 | low | Function body exceeds line-count threshold (default 50) |
| CMPLX003 | medium | Nesting depth exceeds 4 levels |
| CMPLX004 | low | Function has more than 5 parameters |
| CMPLX005 | info | File exceeds 500 lines |
### Lint
| Rule ID | Severity | Description |
|---|---|---|
| LINT001 | low | Exported symbol missing godoc comment |
| LINT002 | medium | Error return value explicitly ignored with `_` |
| LINT003 | high | `panic()` called in a non-main, non-test package |
| LINT004 | info | `init()` function present |
| LINT005 | low | Inconsistent receiver names on the same type |
| LINT006 | info | Magic number literal used outside a `const` block |
| VET001 | medium | Diagnostic reported by `go vet` |
### Dead Code
| Rule ID | Severity | Description |
|---|---|---|
| DEAD001 | low | Unexported function is never called within its package |
| DEAD002 | medium | Unreachable code follows a `return` or `panic` statement |
| DEAD003 | info | Unused exported constant |
---
## Contributing
Contributions are welcome. Please follow the workflow below:
1. **Fork** the repository and create a feature branch (`git checkout -b feat/my-improvement`).
2. Write code and **add tests** for any new or changed behaviour.
3. Ensure the full test suite passes: `go test ./...`
4. Verify formatting and static checks: `gofmt -l .` and `go vet ./...`
5. Open a **pull request** against `main` with a clear description of the change.
### Code style
- All Go source must be formatted with `gofmt` (enforced in CI).
- Run `go vet ./...` before opening a PR; zero diagnostics are expected.
- Every exported symbol (function, type, constant, variable) **must** have a godoc comment.
- All packages under `internal/` must maintain a **minimum of 70% test coverage**.
---
## License
MIT License
Copyright (c) 2026 rahul-aut-ind
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.