Skip to content

flaglint-go audit

flaglint-go audit scans your source and classifies every detected LaunchDarkly Go SDK call by risk level, producing a migration-readiness score. It never modifies files.

Terminal window
flaglint-go audit [dir] [flags]
FlagDescription
-f, --format stringOutput format: json | markdown (default markdown)
-o, --output stringWrite report to a file instead of stdout
--config stringPath to config file
--write-baseline stringWrite current finding fingerprints to a baseline file for use with validate --baseline --fail-on-new
--strict-typesAdditionally resolve findings only provable with real go/types information (interface satisfaction, transitive factory wrapping, cross-function method-value forwarding). Requires the module to build. See Identity Model.
MethodRiskNotes
BoolVariation / StringVariation / IntVariation / Float64Variation (and their *Ctx forms)LowStatic key only
JSONVariation (and *Ctx)MediumPointer output, manual review
*VariationDetail(Ctx) methodsHighReturns EvaluationDetail — no direct OpenFeature equivalent
AllFlagsStateHighBulk call, no single-flag equivalent
Dynamic flag key (identifier, fmt.Sprintf, string concatenation)HighCannot resolve statically — overrides the method’s own risk level
Scan complete — 2 unique flag(s) across 2 call site(s) (0ms, 2 file(s))
Migration readiness: 100/100 · ready
2 low risk · 0 medium risk · 0 high risk

A codebase with genuine high-risk usage:

Scan complete — 0 unique flag(s) across 4 call site(s) (2.3s, 4512 file(s))
Migration readiness: 0/100 · complex
0 low risk · 0 medium risk · 4 high risk

(All four call sites use a dynamic, per-instance flag key — correctly classified high risk regardless of the underlying method, per the dynamic-key rule above.)

The score is the ratio of low/medium-risk (safely reviewable) call sites to total detected call sites, expressed 0–100. N/A is reported when zero direct calls are found — there’s nothing to score.

Terminal window
flaglint-go audit ./services --write-baseline .flaglint-baseline.json
{
"version": "1",
"schemaVersion": "baseline.v1",
"createdAt": "2026-07-08T19:23:09Z",
"flaglintVersion": "dev",
"fingerprints": [
"launchdarkly:BoolVariation:checkout-v2:checkout.go",
"launchdarkly:IntVariation:discount-percentage:checkout.go"
],
"counts": {
"launchdarkly:BoolVariation:checkout-v2:checkout.go": 1,
"launchdarkly:IntVariation:discount-percentage:checkout.go": 1
}
}

counts records each fingerprint’s occurrence count, not just which fingerprints are known — so validate --fail-on-new also catches a brand-new duplicate of an already-baselined call, not only a brand-new fingerprint. See validate: Baseline Mode.

Commit this file to source control, then use it with flaglint-go validate --baseline <file> --fail-on-new to adopt CI enforcement without requiring all existing debt to be fixed first. See Quickstart: Adopt Gradually With a Baseline.

audit always exits 0 unless the tool itself errors. It is informational — use flaglint-go validate --no-direct-launchdarkly to fail a build.