🐹 Go Fan Report: securego/gosec/v2
Module Overview
github.com/securego/gosec/v2 (v2.27.1) is a static analysis security scanner for Go. It walks the AST and SSA/taint graph to flag hardcoded credentials, subprocess injection, weak crypto, unsafe deserialization, integer overflow, file inclusion, and more — each finding mapped to a Gxxx rule ID and a CWE. In gh-aw it is a build-time tool dependency, not a linked library: it is pinned via tools.go and invoked as a CLI to scan the codebase.
Current Usage in gh-aw
- Files: 0 library imports — used purely as a tool.
- Tool pin:
tools.go blank-imports github.com/securego/gosec/v2/cmd/gosec under //go:build tools to record the version in go.mod.
- Invocation:
make security-gosec and the gosec job in .github/workflows/security-scan.yml, both running gosec -exclude-generated -track-suppressions -exclude=G101,G115,G204,G602,G301,G302,G304,G306 ./... (JSON locally, SARIF in CI to code scanning).
- Config:
.golangci.yml carries the exclusion list as the documented source of truth (gosec is disabled inside golangci-lint due to v2 config bugs and run standalone).
- Suppressions: 39 inline
#nosec annotations across 23 files; policy in scratchpad/gosec.md mandates the #nosec G<id> -- <justification> format.
Research Findings
- Latest
v2.27.1 (2026-06-01); repo last pushed 2026-06-03 — actively maintained. Requires Go 1.25+ (project is on 1.26.3 ✅).
Recent Updates
- v2.27.0 — new
-nosec-require-rules and -nosec-require-justification flags to enforce that every #nosec names a rule ID and carries a justification (PR #1671); G118 false-positive fixes.
- v2.25.0 — new rules G124 (insecure HTTP cookie config), G709 (unsafe deserialization), G708 (
text/template SSTI); G120 ported to taint analysis; G115/G117 false-positive reductions; per-package rule instantiation fixes a concurrent-map crash.
- v2.24.7 — SARIF null-relationship fix; images moved to GHCR.
Best Practices
-track-suppressions (already used ✅) keeps an audit trail of #nosec in SARIF; pair it with the require-* flags. A single shared gosec config file is the recommended way to avoid duplicating the exclude set.
Improvement Opportunities
🏃 Quick Wins
- Unify the gosec version — it diverges three ways today:
go.mod/tools.go pin v2.27.1, Makefile:198 installs v2.23.0, and .github/workflows/security-scan.yml:29 installs v2.22.11. CI actually runs v2.22.11, which predates G708/G709/G124 and several false-positive fixes — so the pinned version is misleading. Bump both to v2.27.1.
- Install the pinned tool instead of a hardcoded literal so the version can never drift (derive from
go.mod, or adopt a Go 1.24+ tool directive). This removes the three-way sync problem at the root.
- Add the 2 missing justifications:
pkg/cli/run_workflow_validation.go:48 and :101 use // #nosec G304 with no -- justification. They are the only 2 of 39 annotations that would fail -nosec-require-justification.
✨ Feature Opportunities
- Machine-enforce the existing
#nosec policy. scratchpad/gosec.md already mandates #nosec G<id> -- <justification>, but enforcement is manual. The v2.27.0 -nosec-require-rules -nosec-require-justification flags turn that convention into a hard CI check — and only the 2 lines above need fixing first, so adoption is nearly free.
- Triage the new rules. gh-aw shells out heavily and parses workflow YAML, so G709 (unsafe deserialization) and G708 (template injection) are directly relevant. Run v2.27.1 once without the broad
-exclude list to see what the newer rules surface.
📐 Best Practice Alignment
- The
-exclude set is duplicated across Makefile, CI, and the .golangci.yml comment block and synced by hand. A shared gosec.json (-conf) consumed by both runners would give it a single source of truth.
🔧 General Improvements
- Document the supported/pinned gosec version in
DEVGUIDE.md so contributors run locally what CI runs.
Recommendations
- Align Makefile + CI gosec to v2.27.1 (and ideally install from the
go.mod pin).
- Add justifications to the 2 bare
#nosec G304 lines.
- Enable
-nosec-require-rules -nosec-require-justification in make security-gosec and CI.
- Centralize the exclusion list in a single gosec config file.
- Do a one-off scan with the new G708/G709/G124 rules and triage.
Next Steps
- Open a small PR for items 1–3 (low risk, high signal).
- File a follow-up to evaluate the new rules (item 5).
Generated by Go Fan
Module summary saved to: scratchpad/mods/securego-gosec.md
Generated by 🐹 Go Fan · 118.5 AIC · ◷
🐹 Go Fan Report: securego/gosec/v2
Module Overview
github.com/securego/gosec/v2(v2.27.1) is a static analysis security scanner for Go. It walks the AST and SSA/taint graph to flag hardcoded credentials, subprocess injection, weak crypto, unsafe deserialization, integer overflow, file inclusion, and more — each finding mapped to aGxxxrule ID and a CWE. In gh-aw it is a build-time tool dependency, not a linked library: it is pinned viatools.goand invoked as a CLI to scan the codebase.Current Usage in gh-aw
tools.goblank-importsgithub.com/securego/gosec/v2/cmd/gosecunder//go:build toolsto record the version ingo.mod.make security-gosecand thegosecjob in.github/workflows/security-scan.yml, both runninggosec -exclude-generated -track-suppressions -exclude=G101,G115,G204,G602,G301,G302,G304,G306 ./...(JSON locally, SARIF in CI to code scanning)..golangci.ymlcarries the exclusion list as the documented source of truth (gosec is disabled inside golangci-lint due to v2 config bugs and run standalone).#nosecannotations across 23 files; policy inscratchpad/gosec.mdmandates the#nosec G<id> -- <justification>format.Research Findings
v2.27.1(2026-06-01); repo last pushed 2026-06-03 — actively maintained. Requires Go 1.25+ (project is on 1.26.3 ✅).Recent Updates
-nosec-require-rulesand-nosec-require-justificationflags to enforce that every#nosecnames a rule ID and carries a justification (PR #1671); G118 false-positive fixes.text/templateSSTI); G120 ported to taint analysis; G115/G117 false-positive reductions; per-package rule instantiation fixes a concurrent-map crash.Best Practices
-track-suppressions(already used ✅) keeps an audit trail of#nosecin SARIF; pair it with the require-* flags. A single shared gosec config file is the recommended way to avoid duplicating the exclude set.Improvement Opportunities
🏃 Quick Wins
go.mod/tools.gopin v2.27.1,Makefile:198installs v2.23.0, and.github/workflows/security-scan.yml:29installs v2.22.11. CI actually runs v2.22.11, which predates G708/G709/G124 and several false-positive fixes — so the pinned version is misleading. Bump both to v2.27.1.go.mod, or adopt a Go 1.24+tooldirective). This removes the three-way sync problem at the root.pkg/cli/run_workflow_validation.go:48and:101use// #nosec G304with no-- justification. They are the only 2 of 39 annotations that would fail-nosec-require-justification.✨ Feature Opportunities
#nosecpolicy.scratchpad/gosec.mdalready mandates#nosec G<id> -- <justification>, but enforcement is manual. The v2.27.0-nosec-require-rules -nosec-require-justificationflags turn that convention into a hard CI check — and only the 2 lines above need fixing first, so adoption is nearly free.-excludelist to see what the newer rules surface.📐 Best Practice Alignment
-excludeset is duplicated acrossMakefile, CI, and the.golangci.ymlcomment block and synced by hand. A sharedgosec.json(-conf) consumed by both runners would give it a single source of truth.🔧 General Improvements
DEVGUIDE.mdso contributors run locally what CI runs.Recommendations
go.modpin).#nosec G304lines.-nosec-require-rules -nosec-require-justificationinmake security-gosecand CI.Next Steps
Generated by Go Fan
Module summary saved to: scratchpad/mods/securego-gosec.md