golang-security
Safeguard articles tagged "golang-security" — guides, analysis, and best practices for software supply chain and application security.
6 articles
Anatomy of a Go module supply chain compromise: lessons f...
Real incidents like the xz-utils backdoor reveal the anatomy of a go module supply chain compromise: maintainer trust, init() execution, and immutable proxy caching.
Malicious Go modules found on GitHub
Malicious Go modules keep surfacing on GitHub, exploiting the ecosystem's lack of a curated registry. Here's the pattern — and how to defend against it.
Go standard library CVE trend report
A trend analysis of Go standard library CVEs from HTTP/2 Rapid Reset to crypto/x509 parsing bugs — and why "it's stdlib" is not a safe-harbor assumption.
Go module checksum database bypass risks
Go's GOSUMDB checksum verification is meant to be on by default, but Safeguard's research found roughly 1 in 6 CI pipelines quietly disable it.
XXE Prevention in Go with decoder.DisallowDTD
Go's standard XML parser resists classic XXE by design, but cgo bindings and SAML libraries can reopen it. Here's how the DisallowDTD pattern closes the gap.
Secure Random Number Generation in Go with crypto/rand
Go's math/rand is fast but predictable. Here's why crypto/rand is the only safe choice for tokens, keys, and nonces -- and what changed in Go 1.20-1.24.