Go SAST

xgrep parses .go into tree-sitter ASTs and ships roughly 60 rules, 16 of them taint-based, focused on the standard library and common patterns (net/http, database/sql, crypto/tls, os/exec).

xgrep scan --include '*.go' .

What xgrep detects

Injection — sql-injection, command-injection, email-injection, format-string-injection, log-injection, xpath-injection.

Cross-site scripting — xss-response-writer.

SSRF, redirects & URL validation — ssrf-request, open-redirect, bad-redirect-check, unanchored-url-validation, incomplete-url-scheme-check, incomplete-hostname-regexp.

Path traversal & files — path-traversal, overly-permissive-file.

Deserialization — unsafe-deserialization.

Crypto, TLS & SSH — insecure-tls, disabled-cert-validation, weak-cipher, weak-cipher-usage, weak-hash, weak-key-size, weak-random, insecure-host-key, insecure-host-key-callback, cleartext-storage / -transmission.

Auth & comparisons — cookie-no-httponly / -secure, csrf-constant-state, jwt-unverified, timing-attack-string-comparison, constant-length-comparison.

Integer & memory safety — integer-overflow, allocation-size-overflow, uncontrolled-allocation, shift-out-of-range, negative-length-check, mistyped-exponentiation.

Error handling & correctness — missing-error-check, wrapped-error-always-nil, redundant-recover, unhandled-close-writable-handle, plus dead-store and duplicate-branch checks (run with --category correctness).

Data exposure — hardcoded-credentials, sensitive-data-logging, stacktrace-exposure.

Taint analysis

16 rules use taint mode: an HTTP handler's request values must reach a sink (exec.Command, a SQL query, http.Get, an io.Writer response) before the rule fires, so shape-only matches don't become findings.

See also Secrets scanning and the CLI reference.