Native Go binary for auditing LaunchDarkly Go server SDK usage — no Node.js required.
Status: early development. This is the Go-native counterpart to flaglint-js, built for teams that don't want a Node.js dependency in their toolchain. It shares the same fingerprint, exit-code, config, and SARIF contracts — see docs/adr/003-cross-tool-contract.md.
flaglint-js's own architecture notes (ADR 006, deferred) originally proposed
adding Go support inside the npm CLI via tree-sitter-go. flaglint-go takes a
different path: since this ships as a standalone Go binary, it uses Go's
standard go/parser/go/ast directly — no tree-sitter, no Node runtime. See
docs/adr/001-native-go-parser.md for the
full rationale.
Client identity is proven through import-alias tracing, constructor-call
binding, and whole-scan syntactic resolution of common indirection (struct
fields, composite literals, multi-level field chains, factory/getter
functions, typed parameters) — never by variable or function name alone
(see docs/adr/002-client-identity-model.md
and docs/adr/004-whole-scan-identity-resolution.md).
Deeper indirection that can't be proven from declared types alone (method
values, interface satisfaction, transitive factory wrapping) is deferred to
an opt-in go/types-verified pass, designed but not yet implemented —
today's scanner is syntax-only, no build required.
- Supported SDK:
github.com/launchdarkly/go-server-sdkv6 and v7 - Detected methods:
BoolVariation,StringVariation,IntVariation,Float64Variation,JSONVariation, their*Ctxand*Detail(Ctx)variants, andAllFlagsState - Risk classification: low (simple static-key variation) / medium
(
JSONVariation) / high (*Detailmethods,AllFlagsState, dynamic keys) - Out of scope for now: migration rewrites (
--apply), browser/mobile SDKs, non-LaunchDarkly providers,go/types-verified identity (Phase 2)
go install github.com/flaglint/flaglint-go/cmd/flaglint-go@latestPrebuilt release binaries and a Homebrew formula (flaglint/tap/flaglint-go)
publish automatically once a version tag is cut — see
.goreleaser.yaml.
brew install flaglint/tap/flaglint-go# Inventory report — always exits 0 unless there's a tool error
flaglint-go scan ./services
flaglint-go scan ./services --format json
# --strict-types: additionally resolves findings only provable with real
# go/types information (interface satisfaction) — requires the module to
# build; see docs/adr/005-strict-types-pass.md
flaglint-go scan ./services --strict-types
# Inventory + migration-readiness score
flaglint-go audit ./services
flaglint-go audit ./services --write-baseline .flaglint-baseline.json
# Policy enforcement — the only command that ever exits 1
flaglint-go validate ./services --no-direct-launchdarkly
flaglint-go validate ./services --no-direct-launchdarkly \
--bootstrap-exclude "internal/openfeature-bootstrap/**"
flaglint-go validate ./services --format sarif --output flaglint.sarif
# CI adoption: fail only on debt introduced after the baseline was captured
flaglint-go validate ./services --baseline .flaglint-baseline.json --fail-on-new| Code | Meaning |
|---|---|
| 0 | Success — scan/audit always end here unless something breaks |
| 1 | Policy failure — validate only, never scan/audit |
| 2 | Invalid input — bad directory, bad --format, malformed config/baseline |
| 3 | Internal error |
| 130 | Interrupted (Ctrl-C) |
Full cross-tool contract (fingerprint format, baseline schema, SARIF rule IDs): docs/adr/003-cross-tool-contract.md.
See CONTRIBUTING.md.
MIT