go
Safeguard articles tagged "go" — guides, analysis, and best practices for software supply chain and application security.
34 articles
Do Not Pass GO: Malicious Golang Package Alert
A typosquat of boltdb/bolt stayed cached on Go's module proxy for roughly three years after its source repo was cleaned up — proxy caching beats takedowns.
The Go Web Application Security Checklist: Server Hardening to Output Encoding
A field-tested checklist for Go web services — the http.Server timeouts nobody sets, html/template escaping traps, auth and session hygiene, and the headers that actually matter.
Command injection in Go: os/exec, exec.Command, and how it still goes wrong
Go's exec.Command never invokes a shell — yet CWE-78 command injection keeps shipping in Go services. Here's exactly how, and how gosec's G204 rule catches it.
The gosec Static Analysis Guide: Rules, CI, and Taming False Positives
gosec catches hardcoded secrets, weak crypto, unsafe SQL, and command injection in Go — but only if you run it well and triage it honestly. A practical guide to the rules that matter and the noise that doesn't.
Go Dependency Management Security: go.mod Hygiene That Actually Reduces Risk
Minimal version selection, indirect dependencies, replace directives, and the update cadence nobody documents. A practical guide to keeping your Go dependency graph both current and trustworthy.
Go Concurrency Security Pitfalls: When Data Races Become Vulnerabilities
A data race isn't just a flaky test — in the wrong place it's an auth bypass, a cross-request leak, or a denial of service. Here are the Go concurrency bugs that turn into security incidents.
Go Code Review Tools: An Honest 2026 Buyer's Guide
A balanced 2026 comparison of Go code review and static-analysis tools — go vet, staticcheck, golangci-lint, gosec, govulncheck, Semgrep, CodeQL — with honest tradeoffs and where Safeguard fits.
The Go Vulnerability Scanning Guide: govulncheck, Reachability, and CI
Most scanners tell you a CVE exists somewhere in go.sum. govulncheck tells you whether your code can actually reach it. Here's how Go's reachability-based scanning works and how to run it well.
Securing the Go Modules Supply Chain: Proxy, Checksums, and Provenance End to End
The Go module system ships with a tamper-evident checksum log and a public proxy most teams never configure deliberately. Here's how to turn those defaults into a real supply-chain control plane.
SQL Injection in Go: Why database/sql Is Safe Until You Reach for Sprintf
database/sql gives Go parameterized queries for free — yet SQL injection still ships in Go services through dynamic query building, ORM escape hatches, and misused identifiers. Here's the line you can't cross.
SSRF Prevention in Go: Blocking Metadata, Redirects, and DNS Rebinding
A single unvalidated URL passed to net/http can hand an attacker your cloud metadata credentials. Here's how SSRF actually works against Go services — and the DialContext-level defense that stops it.
Preventing Command Injection in Go: Allowlists, Argument Safety, and Sandboxing
os/exec keeps the shell out of your way — but user-controlled binaries, flag injection, and PATH tricks still get Go services popped. Here's the prevention playbook, not just the theory.