go / checks

updated March 24, 2026

I run four checks before committing Go code:

goimports -local "$(go list -m)" -w .
go vet ./...
go test ./...
deadcode -test ./...

Order

The checks run fast-to-slow to fail fast:

1. goimports: Formats code and fixes imports. Runs first so other tools see properly formatted code.
2. go vet: Static analysis. Catches bugs before spending time on tests.
3. go test: Runs tests. No point running if vet already found issues.
4. deadcode: Finds unreachable functions. Slowest (whole-program analysis), informational.

goimports

goimports formats code like gofmt and also adds/removes imports.

go install golang.org/x/tools/cmd/goimports@latest

I install this via my laptop script.

The -local flag groups imports into three sections: standard library, third-party, and local module.

import (
    "fmt"
    "net/http"

    "github.com/someone/pkg"

    "mymodule/internal/foo"
)

go vet

go vet reports likely mistakes: printf format errors, unreachable code, suspicious constructs.

It's built into Go and runs fast.

go test

go test runs tests.

The ./... pattern matches all packages in the module.

deadcode

deadcode finds functions that are never called.

go install golang.org/x/tools/cmd/deadcode@latest

I install this via my laptop script.

It uses whole-program analysis starting from main, so it only works on executables, not libraries.

The -test flag includes test binaries in the analysis:

deadcode -test ./...

This creates a virtuous cycle for codebase quality. When deadcode reports an unreachable function, you have two options:

1. Remove it. The function is genuinely unused.
2. Add a test. The function is used but not covered by tests.

Either outcome improves the codebase: less dead code or better test coverage.

The -test flag is especially useful for projects with multiple entry points (WASM, CLI tools, etc.) where some functions are only reachable from entry points that deadcode can't analyze natively.

Pre-push hook

Run checks locally before pushing instead of waiting for CI. Create bin/pre-push:

#!/bin/bash
# Pre-push hook: run Go checks before pushing.

set -e

changed=$(git diff --name-only origin/main...HEAD 2>/dev/null || git diff --name-only HEAD~1...HEAD)

if echo "$changed" | grep -q '\.go$'; then
  echo "==> Checking Go formatting..."
  test -z "$(goimports -local "$(go list -m)" -l .)"

  echo "==> Running go vet..."
  go vet ./...

  echo "==> Running tests..."
  go test ./...

  echo "==> Checking for dead code..."
  deadcode -test ./...
fi

echo "==> All checks passed."

Make it executable and configure git to use bin/ for hooks:

chmod +x bin/pre-push
git config core.hooksPath bin

Notes:

• core.hooksPath tells git to look for hooks in bin/ instead of .git/hooks/.
• Checks only run when .go files changed, making pushes fast for docs-only changes.
• goimports -l lists unformatted files. test -z fails if the list is non-empty.
• The hook lives in bin/ under version control so collaborators get the same checks.
• To skip checks once: git push --no-verify

Security: govulncheck

govulncheck uses the Go Vulnerability Database and static analysis to filter out vulnerabilities that don't affect your code. Dependabot can't do this, so it opens noisy PRs for vulnerabilities in packages you don't even call. See Filippo Valsorda's Turn Dependabot Off.

Run periodically:

go run golang.org/x/vuln/cmd/govulncheck@latest ./...

Test against latest dependencies

Test against the newest dependency versions to catch breakage early:

go get -u -t ./...
go mod tidy
go test ./...
git checkout go.mod go.sum  # restore pinned versions

← All articles