Go's standard library is solid. The ecosystem is mature. But none of that protects you from leaked secrets, vulnerable dependencies. Security tooling fills the gap. The good news: the best tools in this space are open-source, free, and take about 1-10 minutes to set up. Here are four that punch way above their weight — what they do, why they matter, and how to drop them into your workflow today. ⭐ 26k stars · gitleaks.io Gitleaks scans your git history (yes, the whole thing) and your working tree for leaked secrets — API keys, AWS credentials, JWTs, private keys, the whole rogues' gallery. It's basically the de facto standard. gitleaks detect --source . -v That's the whole command. Run it, and within seconds it tells you exactly which commit, which file, which line you screwed up. ⭐ 15k stars · semgrep.dev Regular grep is a hammer. Semgrep is a scalpel. Here's what makes it different: Semgrep is semantic. If you write a rule looking for the value 2, it'll match x = 1; y = x + 1 because it knows y evaluates to 2. That's not regex magic it's actual code comprehension. For Go specifically, this means you can write rules like "flag any exec.Command call that takes user-controlled input" and it'll find them across your codebase, even when variable names differ. Run it as a pre-commit hook to catch the dumb stuff before it ever hits CI: semgrep --config=auto . The auto config pulls community rules tailored to whatever languages it detects. ⭐ 10k stars · osv.dev Your dependencies are a liability. Mine are too. Most projects don't talk about this enough. OSV-Scanner is Google's answer, and it plugs into the OSV database — a unified vulnerability feed that aggregates data from dozens of sources. Point it at your go.mod and it tells you exactly which deps have known CVEs and how bad each one is. osv-scanner --lockfile=go.mod The genuinely useful feature: guided remediation. It doesn't just yell "you have 47 vulnerabilities" — it ranks fixes by impact, dependency depth, severity, and return on investment. It's the difference between a doctor saying "you're sick" and one handing you a treatment plan. ⭐ 470 stars · pkg.go.dev/golang.org/x/vuln Don't let the modest star count fool you. This is the official Go vulnerability scanner from the Go team itself, and it does something genuinely smarter than most of its competitors. Most scanners say: "you import a vulnerable library, panic now." govulncheck says: "you import a vulnerable library AND you actually CALL the vulnerable function in your code paths." That distinction is huge. The signal-to-noise ratio is night and day. No more drowning in false positives for code paths you never even hit. go install golang.org/x/vuln/cmd/govulncheck@latest govulncheck ./... The other wild thing: it works on compiled binaries too. Here's the thing nobody wants to say out loud: AI is pushing your team's monthly code volume 2x to 10x higher than it was a year ago. More code. More diffs. More chances for something subtle to slip through until PR or production. Static scanners are necessary, but they weren't designed for this volume. They catch known patterns — leaked secrets, known CVEs, known anti-patterns. They don't catch the new failure modes AI introduces: Code that "seems to work" but doesn't handle the edge case the prompt forgot to mention The same prompt yielding different implementations on different runs Subtle regressions buried in 400-line AI-generated diffs nobody actually reads Logic errors that only show up after the demo, in front of customers When you ship AI-generated code, it's your responsibility to know what you're shipping. The model can generate the patch. Your team still owns the outage, the exploit, the rollback, and the customer trust. This is what I'm building git-lrc for — micro AI code reviews that run on every commit, before the diff enters git history. Git-native: reviews your staged diff at commit time, while context is still fresh Fast: a micro review takes about 30 to 60 seconds Useful: summary + bug, security, and performance warnings before code moves downstream Small diffs reviewed early beat large diffs reviewed late. Every time. The four tools above are your foundation. git-lrc is the verification loop on top — the difference between "we vibe-coded it and shipped" and "we shipped, and we know what we shipped." You can't delegate responsibility. But you can automate the part where you check the work. / git-lrc | 🇩🇰 Dansk | 🇪🇸 Español | 🇮🇷 Farsi | 🇫🇮 Suomi | 🇯🇵 日本語 | 🇳🇴 Norsk | 🇵🇹 Português | 🇷🇺 Русский | 🇦🇱 Shqip | 🇨🇳 中文 | git-lrc AI Micro Code Reviews That Run on Commit         AI agents write code fast. They also silently remove logic, change behavior, and introduce bugs -- without telling you. You often find out in production. git-lrc fixes this. It hooks into git commit and reviews every diff before it lands. 60-second setup. Completely free. See It In Action See git-lrc catch serious security issues such as leaked credentials, expensive cloud operations, and sensitive material in log statements git-lrc-intro-60s.mp4 Why 🤖 AI agents silently break things. Code removed. Logic changed. Edge cases gone. You won't notice until production. 🔍 Catch it before it ships. AI-powered inline comments show you exactly what changed and what looks wrong. 🔁 Build a habit,… View on GitHub