Go

Go tooling standards: golangci-lint, gofumpt, govulncheck, and go test.

Go projects use golangci-lint for linting, gofumpt for formatting, govulncheck for security scanning, and go test for testing.

Tools

CategoryToolPurpose
Lintergolangci-lint v2Meta-linter (bundles go vet, staticcheck, gosec, errcheck, etc.)
FormattergofumptStrict superset of gofmt
SecuritygovulncheckScans module dependencies for known vulnerabilities
Testsgo testBuilt-in Go test runner

All tools are pre-installed in the dev-toolchain container. Do not install them on the host.

Configuration

golangci-lint

Config file: .golangci.yml at repository root.

# .golangci.yml -- DevRail Go lint configuration
version: "2"

linters:
  enable:
    - errcheck
    - govet
    - staticcheck
    - gosec
    - ineffassign
    - unused
    - gocritic
    - gofumpt
    - misspell
    - revive

issues:
  exclude-dirs:
    - vendor
    - node_modules

golangci-lint v2 uses a version: "2" key in the config file. It is a meta-linter that bundles dozens of linters. Do not install standalone versions of go vet, staticcheck, gosec, or errcheck.

gofumpt

No config file required. gofumpt is a strict superset of gofmt. It enforces additional formatting rules (grouped imports, consistent spacing). Run with gofumpt -w . to apply fixes or gofumpt -d . to check.

govulncheck

No config file required. Scans go.sum for known vulnerabilities in module dependencies. Requires the Go SDK at runtime because it uses go/packages internally.

Makefile Targets

TargetCommandDescription
make lintgolangci-lint run ./...Lint all Go files
make formatgofumpt -d .Check formatting (diff mode)
make securitygovulncheck ./...Dependency vulnerability scanning (if go.sum exists)
make testgo test ./...Run test suite (if *_test.go files exist)

Pre-Commit Hooks

Local Hooks (run on every commit, under 30 seconds)

golangci-lint runs on every commit to catch lint and formatting issues:

# .pre-commit-config.yaml -- Go hooks
repos:
  - repo: https://github.com/golangci/golangci-lint
    rev: v2.1.6
    hooks:
      - id: golangci-lint-full

CI-Only (too slow for local hooks)

  • govulncheck ./... – dependency vulnerability scanning
  • go test ./... – full test suite

Notes

  • golangci-lint v2 is the single linting tool. It bundles go vet, staticcheck, gosec, errcheck, and dozens more. Do not install standalone versions of these linters.
  • gofumpt is a strict superset of gofmt. All gofmt-valid code is gofumpt-valid, but gofumpt enforces additional style rules. Use gofumpt exclusively.
  • govulncheck requires the Go SDK at runtime. Unlike other tools that are standalone binaries, govulncheck uses go/packages to analyze module dependencies. The Go SDK is included in the dev-toolchain container for this reason.
  • Go tools use ./... patterns. The ./... pattern matches all packages in the module. This is the standard Go convention for recursive operations.
  • go.sum presence gates security scanning. If no go.sum file exists, govulncheck is skipped because there are no module dependencies to scan.
  • All tools are pre-installed in the dev-toolchain container. Do not install them on the host.