golang
Safeguard articles tagged "golang" — guides, analysis, and best practices for software supply chain and application security.
27 articles
Common Go module vulnerability patterns and how govulncheck helps
Two real CVEs in Go's path/filepath package and a growing SSRF problem in webhook handlers show why Go's safety guarantees don't cover application logic.
Minimal container images with ko: evaluating distroless Go builds
ko builds Go containers straight from source onto a shell-less distroless base with no Dockerfile — cutting attack surface, and debugging tools, at once.
Anatomy of a Malicious Go Package Typosquat
A Go typosquat backdoored since 2021 stayed live for over three years because Go's module proxy caches code immutably — even after the attacker cleaned the repo.
The Go Web Application Security Checklist: Server Hardening to Output Encoding
A field-tested checklist for Go web services — the http.Server timeouts nobody sets, html/template escaping traps, auth and session hygiene, and the headers that actually matter.
Secure password hashing in Go: bcrypt, Argon2, and the mistakes in between
Go's bcrypt package caps input at 72 bytes and returns ErrPasswordTooLong instead of silently truncating — one of several Go-specific quirks that trip up password hashing code.
The gosec Static Analysis Guide: Rules, CI, and Taming False Positives
gosec catches hardcoded secrets, weak crypto, unsafe SQL, and command injection in Go — but only if you run it well and triage it honestly. A practical guide to the rules that matter and the noise that doesn't.
Go Dependency Management Security: go.mod Hygiene That Actually Reduces Risk
Minimal version selection, indirect dependencies, replace directives, and the update cadence nobody documents. A practical guide to keeping your Go dependency graph both current and trustworthy.
Go Concurrency Security Pitfalls: When Data Races Become Vulnerabilities
A data race isn't just a flaky test — in the wrong place it's an auth bypass, a cross-request leak, or a denial of service. Here are the Go concurrency bugs that turn into security incidents.
Go Code Review Tools: An Honest 2026 Buyer's Guide
A balanced 2026 comparison of Go code review and static-analysis tools — go vet, staticcheck, golangci-lint, gosec, govulncheck, Semgrep, CodeQL — with honest tradeoffs and where Safeguard fits.
The Go Vulnerability Scanning Guide: govulncheck, Reachability, and CI
Most scanners tell you a CVE exists somewhere in go.sum. govulncheck tells you whether your code can actually reach it. Here's how Go's reachability-based scanning works and how to run it well.
Securing the Go Modules Supply Chain: Proxy, Checksums, and Provenance End to End
The Go module system ships with a tamper-evident checksum log and a public proxy most teams never configure deliberately. Here's how to turn those defaults into a real supply-chain control plane.
SQL Injection in Go: Why database/sql Is Safe Until You Reach for Sprintf
database/sql gives Go parameterized queries for free — yet SQL injection still ships in Go services through dynamic query building, ORM escape hatches, and misused identifiers. Here's the line you can't cross.