Go Scanner

Static analysis for Go — locally, in 60 seconds.

Scan your Go module for cyclomatic-complexity outliers, vulnerable dependencies, unchecked errors, unreachable functions, and tangled package imports — with the ik CLI itself written in Go. Pairs with go vet and staticcheck; inkode contributes the security, structural, and historical signal those don't.

Install the CLI Wire up GitHub Action

What it looks like

Running on a typical Go module

$ ik run inkode · cmd-pipeline Running 20 checks... ⚠ Complexity 5 findings 110ms (gocyclo, in-process) ⚠ Dependency Audit 2 findings 3.4s (govulncheck) ⚠ Dead Code 3 findings 2.8s (deadcode) ⚠ Error Handling 7 findings 1.2s (errcheck) ⚠ Magic Numbers 6 findings 230ms ✓ Test Presence no issues 8ms (testify detected) ✓ Import Graph no issues 12ms Score 74 / 100 grade C Report .ik/brief.html Share https://api.inkode.co/r/Gh4K7vBjLn8X

Go coverage

What we check, and how.

Check	Tool	What it catches in Go
Complexity	`gocyclo` (in-process)	Functions exceeding cyclomatic-complexity threshold (default 10). The gocyclo library is linked directly into `ik`, so no extra binary install — it just works.
Dependency Audit	`govulncheck`	OSV-database CVEs against your `go.sum`. The official Go security team's tool; queries OSV directly, no local DB to keep fresh. Walks call graphs to confirm the vulnerable code is actually reachable from your binary.
Dead Code	`deadcode`	golang.org/x/tools/cmd/deadcode — does whole-program reachability, not just file-local scanning. Reports functions and methods that no code path can reach from `main`.
Error Handling	`errcheck`	Unchecked errors — `foo()` when `foo` returns an error, or `_ = foo()` patterns that silently discard. The Go pattern AI tools default to when they're not sure how to handle the failure.
Magic Numbers	regex	Inline numeric literals in business logic. Go-aware skip rules ignore `const` / `var` blocks, import paths, and lines tagged `//nolint`.
Test Presence	fs walk	`*_test.go` classified as test files. testify framework detected via `go.mod`.
Import Graph	built-in `go/parser`	Cycles in the package graph, fan-in / fan-out outliers, god packages. Uses Go's own `go/parser` AST for accuracy; the same library `go build` uses.
Semantic Duplication	embedded LLM	Go functions extracted via the standard library's AST parser (more accurate than the regex extractors other languages use), embedded via Qwen2.5-Coder-0.5B, paired by cosine similarity. Catches helpers regenerated from scratch in different packages.
AI Stack	manifest scan	`github.com/sashabaranov/go-openai`, `github.com/anthropics/anthropic-sdk-go`, `github.com/tmc/langchaingo`, `github.com/ollama/ollama` detected in `go.mod`.
Secrets, Hotspots, Coupling, Duplication, Line Count, Infra, Scripts, TODO Density	language-agnostic	Same as every other language — gitleaks for secrets, git-log analysis for hotspots / coupling, jscpd for textual duplication, etc.

Where inkode adds signal beyond go vet

Use both.

CVE data with reachability

go vet is a linter, not a security tool. govulncheck walks call graphs from main to confirm a vulnerable function is actually reachable in your binary — not just declared in a transitive dependency you never call.

Whole-program dead code

staticcheck flags unused identifiers within a package. The deadcode tool walks every reachable call from main to find functions and methods that no path reaches — the kind that pile up after AI-generated refactors.

Unchecked errors

errcheck catches the Go-specific anti-pattern of x, _ := foo() or bare foo() when foo returns an error. AI tools default to these when they're not sure what to do; the language's idioms expect you not to.

Historical and structural signal

Hotspots from git log ranking, coupling pairs from co-change history, the package import graph for cycles — none of which a single-snapshot linter can see. Add the security pass (gitleaks) and you've got a complete picture, not just "does it compile."

Run it on your Go module.

Install in one line, scan in under a minute. No account required.

$ curl -fsSL https://inkode.co/install.sh | sh $ go install golang.org/x/vuln/cmd/govulncheck@latest $ go install golang.org/x/tools/cmd/deadcode@latest $ cd your-go-module && ik init && ik run

Book an Expert Review

More scanners

Scan another language

C# Java Python Rust TypeScript All scanners

Cross-cutting checks: secret scanning · dependency vulnerability scanning · AI code review