
Improving Go code: An introduction to the static analysis tool Staticcheck - ngaut
https://superhighway.dev/staticcheck-in-action
======
henvic
Thanks! I've switched jobs six months ago. Previously, I worked moslty solo
and relied on staticcheck and other static analysis tools a lot. On this new
job I quickly found out we weren't using any tools, and staticcheck was the
one I missed the most. Fortunately I was able to show its value, and we are
steadily improving our codebase thanks to it.

This and also gosec are invaluable!

Something I looked recently and should adopt soon:
[https://github.com/golangci/golangci-
lint](https://github.com/golangci/golangci-lint)

So far, this is what my 'de facto' lint list looks like:

echo "Checking for unchecked errors." errcheck $(go list ./...) echo "Linting
code." test -z "$(golint `go list ./...` | tee /dev/stderr)" echo "Examining
source code against code defect." go vet $(go list ./...) go vet
-vettool=$(which shadow) echo "Running staticcheck toolset
[https://staticcheck.io"](https://staticcheck.io") staticcheck ./... echo
"Checking if code contains security issues." # TODO(henvic) fix/update gosec
when available: # G104: Doesn't understand _ assignments #270 #
[https://github.com/securego/gosec/issues/270](https://github.com/securego/gosec/issues/270)
# Ignoring G104: Audit errors not checked for now. gosec -quiet -exclude G104
--quiet ./...

~~~
dgellow
golangci-lint is just awesome. We started enabling it on all our repositories
in combination with [https://github.com/reviewdog/action-golangci-
lint](https://github.com/reviewdog/action-golangci-lint) to have Github check
warnings integration directly in the PR diff.

Also, it is now available as a choice of Go linter in Visual Studio Code.

------
ainar-g
Staticcheck is inavluable, and I support it with words, actions, and money.
Here are some additional tools that you might want to have in your module's
tools.go:

* github.com/kisielk/errcheck[1]: Find cases where you (accidentally?) ignore errors.

* github.com/gordonklaus/ineffassign[2]: Find ineffectial assignments; sounds simple, almost unneeded, but in my practice it's actually one of the most effective analyses to find actual bugs.

* mvdan.cc/unparam[3]: Find functions that always consume or return one value; great for refactorings.

[1] [https://github.com/kisielk/errcheck](https://github.com/kisielk/errcheck)

[2]
[https://github.com/gordonklaus/ineffassign](https://github.com/gordonklaus/ineffassign)

[3] [https://github.com/mvdan/unparam](https://github.com/mvdan/unparam)

------
pram
My favorite feature of Staticcheck is that it tells you when a method is
deprecated in a library you’re using. Would never know otherwise!

------
AYBABTME
btw you can support the author of this project here:
[https://staticcheck.io/sponsors](https://staticcheck.io/sponsors)

------
alexkappa
Staticheck is an awesome tool. I've used it quite a bit and (shameless plug)
tried to build a codeclimate engine[1] for it a while back.

I remember trying to integrate it with code climate's tooling but for some
reason or another I didn't manage to.

[1] [https://github.com/alexkappa/codeclimate-
staticcheck](https://github.com/alexkappa/codeclimate-staticcheck)

------
the_enigma
This is amazing thanks for sharing!

