Skip to content

-out flag does not create output files for any format #1430

New issue
New issue
Open
Open
-out flag does not create output files for any format#1430
@drewkhoury

Description

@drewkhoury
drewkhoury
opened on Dec 2, 2025

test-gosec-helloworld.zip

Description

The -fmt=junit-xml -out=<file> flags do not create the output file, even when combined with -no-fail. This makes it impossible to collect JUnit test results for CI/CD pipelines.

Steps to Reproduce

  1. Create a simple Go application with security issues:
// main.go
package main

import (
	"fmt"
	"os"
	"os/exec"
)

func main() {
	fmt.Println("Hello, World!")
	
	// G204: Command injection
	userInput := os.Args[1]
	cmd := exec.Command("sh", "-c", userInput)
	cmd.Run()
	
	// G306: Insecure file permissions
	os.WriteFile("test.txt", []byte("data"), 0777)
}
  1. Run gosec with JUnit XML output:
gosec ./... -fmt=junit-xml -out=output.xml
  1. Check if file exists:
ls -la output.xml
# ls: output.xml: No such file or directory

Expected Behavior

The output.xml file should be created containing JUnit XML format with test results, regardless of whether security issues are found or the exit code.

Actual Behavior

  • No file is created with -out flag
  • No file is created even with -no-fail flag
  • Exit code is non-zero when issues are found (expected)
  • Summary is printed to stdout/stderr but no XML file

Tested Versions

Tested across multiple versions with identical results:

  • v2.22.0
  • v2.20.0
  • v2.18.0
  • v2.15.0
  • v2.12.0
  • v2.10.0

All versions fail to create the XML file.

Workarounds Attempted

  1. With -no-fail flag:

    gosec ./... -fmt=junit-xml -out=output.xml -no-fail

    Result: ❌ No file created, exit code 0

  2. Stdout redirect:

    gosec ./... -fmt=junit-xml > output.xml

    Result: ⚠️ File created but contains text output, not XML

  3. With -stdout flag:

    gosec ./... -fmt=junit-xml -out=output.xml -stdout

    Result: ❌ No file created (conflicts with -out)

Environment

  • gosec version: 2.22.10 (and earlier versions)
  • Go version: 1.22
  • OS: macOS (also tested in Docker with Alpine Linux)
  • Installation: go install github.com/securego/gosec/v2/cmd/gosec@latest

Impact

This prevents integration with CI/CD tools that consume JUnit XML for test reporting (Jenkins, GitLab CI, GitHub Actions, etc.). Users cannot track security scan results over time or display them in dashboards.

Additional Context

Tested with multiple output formats (json, sarif, junit-xml) - all formats fail to create output files when using the -out flag. This appears to be a general issue with the -out flag, not specific to JUnit XML.

Full test script and results attached.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions