Safeguard
Tag

golang

Safeguard articles tagged "golang" — guides, analysis, and best practices for software supply chain and application security.

27 articles

Security Guides

Auditing Go Modules with govulncheck

govulncheck is unusual: it uses static analysis to tell you not just which Go dependencies are vulnerable, but whether your code actually reaches the vulnerable function.

Jul 3, 20265 min read
Security Guides

SSRF Prevention in Go: Blocking Metadata, Redirects, and DNS Rebinding

A single unvalidated URL passed to net/http can hand an attacker your cloud metadata credentials. Here's how SSRF actually works against Go services — and the DialContext-level defense that stops it.

Jul 2, 20265 min read
Security Guides

Preventing Command Injection in Go: Allowlists, Argument Safety, and Sandboxing

os/exec keeps the shell out of your way — but user-controlled binaries, flag injection, and PATH tricks still get Go services popped. Here's the prevention playbook, not just the theory.

Jul 2, 20266 min read
Security Guides

Go Security Best Practices: A 2026 Field Guide for Backend Teams

Go ships secure defaults most other languages lack — but its supply chain, concurrency model, and cgo edges still leak real vulnerabilities. Here are the practices that actually move the needle.

Jul 1, 20268 min read
Supply Chain Attacks

Go Toolchain Supply Chain Risks: 2025 Research

2025 research on Go toolchain supply chain risks: module proxy abuse, replace directive attacks, cgo linker vectors, and the hardening patterns Go shops should adopt.

Apr 6, 20268 min read
Industry Analysis

Go (Golang) Security Explained

Go's memory safety stops buffer overflows, not logic bugs, typosquatted modules, or CI-pipeline compromise. Here's what actually threatens Go security.

Feb 23, 20266 min read
Application Security

Reachability Analysis for Go Modules in 2026

Go's static linking, vendoring, and govulncheck make reachability analysis tractable. Here is what works, what does not, and the false-positive numbers.

Jan 22, 20265 min read
Open Source Security

Go's 'go get' Remote Code Execution via Crafted Import Pa...

A deep dive into CVE-2018-16873, the Go 'go get' remote code execution vulnerability caused by crafted import paths and command injection in DVCS fetches.

Nov 30, 20258 min read
Open Source Security

Go's 'go get' Directory Traversal via GOPATH Package Path...

CVE-2018-16874: a directory traversal flaw in Go's go get let malicious GOPATH import paths with curly braces write files outside the workspace.

Nov 30, 20257 min read
Open Source Security

Go module proxy vulnerability trends

A backdoor hid in Go's module proxy for 3+ years, and 63,000+ orphaned packages remain cached. Inside 2025's Go supply chain reckoning.

Nov 21, 20256 min read
Industry Analysis

SQL Injection Prevention in Go with database/sql Prepared...

How Go's database/sql prepared statements prevent SQL injection, where developers still get it wrong with dynamic queries and ORMs, and how Safeguard catches these gaps in code review.

Oct 26, 20258 min read
Industry Analysis

Path Traversal Prevention in Go with filepath.Join Valida...

filepath.Join in Go only cleans a path, it doesn't restrict it to a base directory. Here's why that gap produced real CVEs, and how to close it for good.

Oct 24, 20257 min read
golang (Page 2) — Safeguard Blog