Skip to content

flaglint-go Overview

flaglint-go is the Go-native counterpart to flaglint-js — a standalone binary for auditing LaunchDarkly Go server SDK usage, built for teams that don’t want a Node.js dependency in their toolchain.

Terminal window
brew install flaglint/tap/flaglint-go
flaglint-go audit ./services

No API key. No source upload. Runs locally against your checkout, using Go’s own go/parser/go/ast by default — no build required, no go/types type-checking, no tree-sitter. An opt-in --strict-types pass is available for the small number of patterns pure syntax can’t resolve on its own; see Identity Model.

flaglint-go is an early-access, separate binary — not a Go mode bolted onto the npm CLI. They share the same fingerprint, exit-code, config, and SARIF conventions (cross-tool contract), but flaglint-go’s command surface is currently narrower:

flaglint-jsflaglint-go
scan — structured inventory
audit — risk-ranked report + readiness score
validate — CI policy gate
migrate — automated OpenFeature rewrites❌ not yet
init — scaffold a config file❌ not yet
completion — shell autocompletion scripts✅ (Cobra’s stock boilerplate — bash/zsh/fish/PowerShell)
  • Performs local source analysis, syntax-only by default (no build, no go/types, no network access), with an opt-in --strict-types pass for the few patterns pure syntax can’t resolve.
  • Detects github.com/launchdarkly/go-server-sdk v6 and v7 evaluation calls, proven through import-alias tracing and constructor-call binding — never through name matching alone.
  • Resolves common real-world indirection across an entire scan (not just one file): struct fields (including a field’s declared type alone, with no construction observed anywhere), composite literals (including one that directly initializes a package-level var), multi-level field chains, cross-package factory/getter functions, and typed parameters. See Identity Model.
  • Generates the same inventory/audit/validate reports as flaglint-js (JSON, Markdown, text, SARIF).
  • It does not rewrite code. There is no migrate/--apply command yet.
  • It does not resolve every indirection pattern. What’s left is documented and tracked as it’s found — currently there are no open identity-resolution gaps. See Limitations for the current list.
  • It does not query LaunchDarkly for flag age, owner, evaluation history, or production usage.