Safeguard
Tag

go

Safeguard articles tagged "go" — guides, analysis, and best practices for software supply chain and application security.

34 articles

SBOM & Compliance

SLSA for Go Releases: A Practical Guide

Go's build model makes SLSA provenance more tractable than most ecosystems. Here is the practical guide for producing and verifying provenance on Go releases.

May 15, 20246 min read
Open Source Security

Go Dependency Visualization for Security

The Go module graph is comparatively small, which makes it one of the few ecosystems where visualizing dependencies is actually useful for security review rather than just pretty.

Apr 12, 20247 min read
Open Source Security

Go Proxy and Private Module Security

Mixing public and private modules through a Go proxy is where most teams get their configuration wrong, and the mistakes range from leaked module names to accepted unverified code.

Mar 28, 20246 min read
Open Source Security

go mod tidy: The Security Implications

Running go mod tidy feels like harmless housekeeping, but the command can silently pull new code, update checksums, and reshape your dependency graph in ways that have real security consequences.

Feb 10, 20247 min read
Vulnerability Management

govulncheck in Production Integration

govulncheck is the best vulnerability scanner the Go ecosystem has ever had, but turning it from a demo into a production gate takes more than adding a CI step.

Nov 8, 20237 min read
Best Practices

Reproducible Builds in the Go Ecosystem

Go's toolchain makes reproducible builds unusually tractable. Here is how to reach bit-for-bit builds across machines in 2023, and where the rough edges remain.

Jul 20, 20235 min read
Software Supply Chain Security

Go Module Checksum Database: How It Secures Your Dependencies

Go checksum database is one of the most underappreciated supply chain security features in any language ecosystem. Here is how it works and where it falls short.

Mar 18, 20235 min read
Open Source Security

Go Modules Checksum Database: Five Years In

sum.golang.org went public in August 2019. After four years of production, here is what the Go checksum database got right and what it did not.

Mar 12, 20236 min read
DevSecOps

gosec: Static Analysis for Go Security

gosec is the standard security linter for Go. Here is what it catches, what it misses, and how to integrate it effectively into your workflow.

Feb 18, 20235 min read
DevSecOps

GoSec Static Analysis for Go: Practical Security Scanning

GoSec finds security issues in Go source code. Here is how to get the most out of it without fighting false positives all day.

Sep 18, 20225 min read
go (Page 3) — Safeguard Blog