github.com/zeromicro/go-zero
★
★
★
★
★
3
reviews
70
Security
25
Quality
60
Maintenance
55
Overall
v1.10.0
Go
Go
Feb 12, 2026
No Known Issues
This package has a good security score with no known vulnerabilities.
32629
GitHub Stars
4.0/5
Avg Rating
Community Reviews
RECOMMENDED
Production-ready microservices framework with excellent observability but some rigidity
Go-zero provides a comprehensive microservices toolkit with strong opinions about structure and patterns. The built-in connection pooling for Redis and SQL is solid, with sensible defaults (100 max idle conns, 1000 max open for SQL). The circuit breaker and adaptive load shedding work well under load, though you need to tune the shedding threshold based on your traffic patterns.
The logging hooks integrate cleanly with OpenTelemetry, and the built-in metrics collection (via Prometheus) requires minimal setup. Request tracing propagates automatically through RPC calls. However, the framework's code generation tooling (goctl) creates a lot of boilerplate that becomes difficult to customize when your needs diverge from the standard patterns.
Resource management is generally excellent - graceful shutdown works reliably, and timeout configurations cascade properly through contexts. The default 3-second timeout on RPC calls caught us off guard initially. Breaking changes between minor versions have been minimal since 1.4, though the API surface is large enough that dependency updates require careful testing.
The logging hooks integrate cleanly with OpenTelemetry, and the built-in metrics collection (via Prometheus) requires minimal setup. Request tracing propagates automatically through RPC calls. However, the framework's code generation tooling (goctl) creates a lot of boilerplate that becomes difficult to customize when your needs diverge from the standard patterns.
Resource management is generally excellent - graceful shutdown works reliably, and timeout configurations cascade properly through contexts. The default 3-second timeout on RPC calls caught us off guard initially. Breaking changes between minor versions have been minimal since 1.4, though the API surface is large enough that dependency updates require careful testing.
Built-in adaptive load shedding and circuit breakers that actually work under sustained load
Excellent connection pooling defaults with automatic cleanup and health checks
OpenTelemetry integration provides distributed tracing without manual instrumentation
Graceful shutdown properly drains connections and respects context deadlines
Code generation creates rigid project structure that's hard to deviate from
Default 3-second RPC timeout is aggressive and not prominently documented
Large API surface means breaking changes can hide in minor version updates
Best for: Teams building new microservices architectures who want batteries-included observability and proven load-handling patterns.
Avoid if: You need fine-grained control over project structure or are integrating into existing codebases with established patterns.
RECOMMENDED
Opinionated microservice framework with strong security defaults
go-zero provides a solid foundation for building microservices with reasonable security defaults baked in. The framework includes automatic request signature validation, built-in rate limiting, and JWT authentication middleware that's straightforward to configure. The code generation tools (goctl) produce services with input validation via struct tags, though you'll want to add custom validators for complex business logic.
The automatic parameter binding includes basic SQL injection protection and the framework enforces timeouts across all service calls by default. Error handling is somewhat opinionated - it automatically wraps errors in structured responses, which is good for consistency but can leak stack traces in non-production environments if you're not careful with the logging configuration.
Dependency management is reasonable with a focused set of core dependencies, though the framework does pull in etcd and grpc libraries even if you're only building REST services. The team responds to CVEs fairly quickly, and TLS configuration for gRPC services uses modern defaults (TLS 1.2+ with strong cipher suites). The middleware chain makes it easy to add custom authorization logic without bypassing framework protections.
The automatic parameter binding includes basic SQL injection protection and the framework enforces timeouts across all service calls by default. Error handling is somewhat opinionated - it automatically wraps errors in structured responses, which is good for consistency but can leak stack traces in non-production environments if you're not careful with the logging configuration.
Dependency management is reasonable with a focused set of core dependencies, though the framework does pull in etcd and grpc libraries even if you're only building REST services. The team responds to CVEs fairly quickly, and TLS configuration for gRPC services uses modern defaults (TLS 1.2+ with strong cipher suites). The middleware chain makes it easy to add custom authorization logic without bypassing framework protections.
Built-in rate limiting and adaptive circuit breakers prevent resource exhaustion attacks
JWT middleware with token refresh handling and automatic validation of exp/nbf claims
Request validation through struct tags with automatic 400 responses for malformed input
Service-to-service authentication via interceptors with minimal boilerplate
Error responses can expose internal details unless you explicitly configure production mode
Limited documentation on securing the built-in Prometheus metrics endpoints
Best for: Teams building microservices who want security guardrails and consistent patterns without extensive custom middleware.
Avoid if: You need fine-grained control over every aspect of request handling or prefer minimal framework magic.
RECOMMENDED
Opinionated microservices framework with excellent tooling but steep learning curve
go-zero provides a comprehensive microservices framework with impressive code generation capabilities through goctl. The API definition files (.api for HTTP, .proto for gRPC) generate complete service skeletons, reducing boilerplate significantly. Once you understand the conventions, building services becomes very productive. The built-in middleware for tracing, metrics, and circuit breaking work well out of the box.
The framework is heavily opinionated about project structure, which helps consistency but requires investment to understand their way of doing things. Documentation has improved but still assumes familiarity with microservices patterns. The English documentation can be sparse, though Chinese docs are more comprehensive. Error messages from goctl are generally helpful, pointing to line numbers in .api files when definitions are malformed.
Community support is active on GitHub issues with maintainers responding within days. Stack Overflow coverage is limited, so you'll rely more on GitHub discussions and examples. The framework shines when building distributed systems with service discovery and resilience patterns, but feels heavyweight for simple REST APIs.
The framework is heavily opinionated about project structure, which helps consistency but requires investment to understand their way of doing things. Documentation has improved but still assumes familiarity with microservices patterns. The English documentation can be sparse, though Chinese docs are more comprehensive. Error messages from goctl are generally helpful, pointing to line numbers in .api files when definitions are malformed.
Community support is active on GitHub issues with maintainers responding within days. Stack Overflow coverage is limited, so you'll rely more on GitHub discussions and examples. The framework shines when building distributed systems with service discovery and resilience patterns, but feels heavyweight for simple REST APIs.
goctl code generation dramatically reduces boilerplate for REST and gRPC services
Built-in observability features (tracing, metrics, adaptive load shedding) work without extra configuration
Clear separation between business logic and framework code once you understand the structure
Active maintainers respond to GitHub issues typically within 1-3 days
Steep learning curve due to opinionated structure and .api DSL syntax requirements
English documentation lacks depth compared to Chinese version, missing edge case explanations
Limited Stack Overflow presence means debugging relies heavily on reading framework source code
Best for: Teams building distributed microservices architectures who value consistency and built-in resilience patterns over flexibility.
Avoid if: You need a lightweight framework for simple REST APIs or prefer learning from extensive English tutorials and examples.
Write a Review
Sign in to write a review
Sign In
Dependencies
github.com/DATA-DOG/go-sqlmock
v1.5.2
github.com/alicebob/miniredis/v2
v2.36.1
github.com/fatih/color
v1.18.0
github.com/fullstorydev/grpcurl
v1.9.3
github.com/go-sql-driver/mysql
v1.9.3
github.com/golang-jwt/jwt/v4
v4.5.2
github.com/golang/protobuf
v1.5.4
github.com/google/uuid
v1.6.0
github.com/grafana/pyroscope-go
v1.2.7
github.com/jackc/pgx/v5
v5.7.4
github.com/jhump/protoreflect
v1.17.0
github.com/modelcontextprotocol/go-sdk
v1.3.0
github.com/pelletier/go-toml/v2
v2.2.4
github.com/prometheus/client_golang
v1.23.2
github.com/redis/go-redis/v9
v9.17.3
github.com/spaolacci/murmur3
v1.1.0
github.com/stretchr/testify
v1.11.1
go.etcd.io/etcd/api/v3
v3.5.15
go.etcd.io/etcd/client/v3
v3.5.15
go.mongodb.org/mongo-driver/v2
v2.5.0
and 97 more