Safeguard
Tag

go

Safeguard articles tagged "go" — guides, analysis, and best practices for software supply chain and application security.

34 articles

Supply Chain Security

Do Not Pass GO: Malicious Golang Package Alert

A typosquat of boltdb/bolt stayed cached on Go's module proxy for roughly three years after its source repo was cleaned up — proxy caching beats takedowns.

Jul 16, 20266 min read
Security Guides

The Go Web Application Security Checklist: Server Hardening to Output Encoding

A field-tested checklist for Go web services — the http.Server timeouts nobody sets, html/template escaping traps, auth and session hygiene, and the headers that actually matter.

Jul 8, 20266 min read
Application Security

Command injection in Go: os/exec, exec.Command, and how it still goes wrong

Go's exec.Command never invokes a shell — yet CWE-78 command injection keeps shipping in Go services. Here's exactly how, and how gosec's G204 rule catches it.

Jul 8, 20266 min read
Security Guides

The gosec Static Analysis Guide: Rules, CI, and Taming False Positives

gosec catches hardcoded secrets, weak crypto, unsafe SQL, and command injection in Go — but only if you run it well and triage it honestly. A practical guide to the rules that matter and the noise that doesn't.

Jul 7, 20266 min read
Security Guides

Go Dependency Management Security: go.mod Hygiene That Actually Reduces Risk

Minimal version selection, indirect dependencies, replace directives, and the update cadence nobody documents. A practical guide to keeping your Go dependency graph both current and trustworthy.

Jul 6, 20266 min read
Security Guides

Go Concurrency Security Pitfalls: When Data Races Become Vulnerabilities

A data race isn't just a flaky test — in the wrong place it's an auth bypass, a cross-request leak, or a denial of service. Here are the Go concurrency bugs that turn into security incidents.

Jul 5, 20267 min read
Buyer's Guides

Go Code Review Tools: An Honest 2026 Buyer's Guide

A balanced 2026 comparison of Go code review and static-analysis tools — go vet, staticcheck, golangci-lint, gosec, govulncheck, Semgrep, CodeQL — with honest tradeoffs and where Safeguard fits.

Jul 4, 20266 min read
Security Guides

The Go Vulnerability Scanning Guide: govulncheck, Reachability, and CI

Most scanners tell you a CVE exists somewhere in go.sum. govulncheck tells you whether your code can actually reach it. Here's how Go's reachability-based scanning works and how to run it well.

Jul 4, 20266 min read
Security Guides

Securing the Go Modules Supply Chain: Proxy, Checksums, and Provenance End to End

The Go module system ships with a tamper-evident checksum log and a public proxy most teams never configure deliberately. Here's how to turn those defaults into a real supply-chain control plane.

Jul 3, 20266 min read
Security Guides

SQL Injection in Go: Why database/sql Is Safe Until You Reach for Sprintf

database/sql gives Go parameterized queries for free — yet SQL injection still ships in Go services through dynamic query building, ORM escape hatches, and misused identifiers. Here's the line you can't cross.

Jul 3, 20266 min read
Security Guides

SSRF Prevention in Go: Blocking Metadata, Redirects, and DNS Rebinding

A single unvalidated URL passed to net/http can hand an attacker your cloud metadata credentials. Here's how SSRF actually works against Go services — and the DialContext-level defense that stops it.

Jul 2, 20265 min read
Security Guides

Preventing Command Injection in Go: Allowlists, Argument Safety, and Sandboxing

os/exec keeps the shell out of your way — but user-controlled binaries, flag injection, and PATH tricks still get Go services popped. Here's the prevention playbook, not just the theory.

Jul 2, 20266 min read
go — Safeguard Blog