Safeguard
Tag

go

Safeguard articles tagged "go" — guides, analysis, and best practices for software supply chain and application security.

34 articles

Security Guides

Go Security Best Practices: A 2026 Field Guide for Backend Teams

Go ships secure defaults most other languages lack — but its supply chain, concurrency model, and cgo edges still leak real vulnerabilities. Here are the practices that actually move the needle.

Jul 1, 20268 min read
Open Source Security

Go Module Checksum Database In Depth

The Go checksum database is one of the most successful supply chain controls in any mainstream ecosystem. Here is how it actually works and where it still has edges.

Feb 7, 20266 min read
Application Security

Reachability Analysis for Go Modules in 2026

Go's static linking, vendoring, and govulncheck make reachability analysis tractable. Here is what works, what does not, and the false-positive numbers.

Jan 22, 20265 min read
Open Source Security

How to Monitor Go Module Substitution Attacks

Defend against Go module substitution attacks with GOPROXY, GOSUMDB, vendor verification, and checksum database monitoring — complete with working examples.

Mar 4, 20255 min read
Engineering

Go Module Security: sumdb, GOPROXY and Private Modules

How Go's checksum database actually protects you, where GOPROXY ordering bites, and the GOPRIVATE mistakes that leak internal module paths to public infrastructure.

Feb 27, 20257 min read
Supply Chain

The boltdb-go Backdoor: A Three-Year Go Module Mirror Persistence

A typosquat of boltdb hid a Go module mirror cache-poisoning attack for three years before Socket researchers disclosed it on January 30, 2025.

Feb 5, 20256 min read
DevSecOps

Go Build Cache Poisoning Risks

The Go build cache makes builds fast and reproducible, but a poisoned cache can reuse malicious compiled output indefinitely while the source looks clean.

Nov 28, 20247 min read
DevSecOps

go generate Supply Chain Risks

go generate is a seam where arbitrary commands run with the full privileges of the developer, and it does not show up in any manifest of trusted dependencies.

Oct 15, 20247 min read
Open Source Security

Go Toolchain Distribution Security

The Go toolchain directive can automatically download and run a different compiler version than the one your developers installed, which is convenient, reproducible, and worth understanding as a supply chain surface.

Aug 14, 20246 min read
Open Source Security

Go Checksum Verification Patterns

go.sum and the Go checksum database are among the most rigorous integrity mechanisms in any language ecosystem, and the verification patterns around them deserve to be understood and used well.

Jul 5, 20247 min read
Open Source Security

Go Module Hijacking Detection

Module hijacking in Go is rare compared to npm, but it does happen, and the patterns worth watching are different from what you might expect from other ecosystems.

Jun 18, 20247 min read
Open Source Security

Go Workspaces Supply Chain Risks

Go workspaces make multi-module development feel natural, but the go.work file introduces a new trust boundary that can quietly override pinned versions and bypass checksum verification.

May 22, 20246 min read
go (Page 2) — Safeguard Blog