go
Safeguard articles tagged "go" — guides, analysis, and best practices for software supply chain and application security.
34 articles
SLSA for Go Releases: A Practical Guide
Go's build model makes SLSA provenance more tractable than most ecosystems. Here is the practical guide for producing and verifying provenance on Go releases.
Go Dependency Visualization for Security
The Go module graph is comparatively small, which makes it one of the few ecosystems where visualizing dependencies is actually useful for security review rather than just pretty.
Go Proxy and Private Module Security
Mixing public and private modules through a Go proxy is where most teams get their configuration wrong, and the mistakes range from leaked module names to accepted unverified code.
go mod tidy: The Security Implications
Running go mod tidy feels like harmless housekeeping, but the command can silently pull new code, update checksums, and reshape your dependency graph in ways that have real security consequences.
govulncheck in Production Integration
govulncheck is the best vulnerability scanner the Go ecosystem has ever had, but turning it from a demo into a production gate takes more than adding a CI step.
Reproducible Builds in the Go Ecosystem
Go's toolchain makes reproducible builds unusually tractable. Here is how to reach bit-for-bit builds across machines in 2023, and where the rough edges remain.
Go Module Checksum Database: How It Secures Your Dependencies
Go checksum database is one of the most underappreciated supply chain security features in any language ecosystem. Here is how it works and where it falls short.
Go Modules Checksum Database: Five Years In
sum.golang.org went public in August 2019. After four years of production, here is what the Go checksum database got right and what it did not.
gosec: Static Analysis for Go Security
gosec is the standard security linter for Go. Here is what it catches, what it misses, and how to integrate it effectively into your workflow.
GoSec Static Analysis for Go: Practical Security Scanning
GoSec finds security issues in Go source code. Here is how to get the most out of it without fighting false positives all day.