[go-fan] Go Module Review: securego/gosec

[github-actions[bot]]

🐹 Go Fan Report: securego/gosec

Hot off the press! gosec/v2 released v2.25.0 yesterday (2026-03-19) — and this project is running three different versions across go.mod, the Makefile, and CI. Time to dig in!

---

Module Overview

gosec is a Go security scanner that inspects source code by analyzing the Go AST and SSA code representation. It detects common security vulnerabilities across categories: hardcoded credentials, injection risks, file handling, crypto weaknesses, blocklisted imports, Go-specific correctness checks, and taint analysis for SQL/command/path/SSRF/XSS vulnerabilities.

---

Current Usage in gh-aw

• Role: CLI tool only (not a Go library)
• Imported in: tools.go via blank import for go.mod pinning
• Invoked via: make security-gosec and .github/workflows/security-scan.yml
• Output: JSON (gosec-report.json) locally, SARIF (gosec-results.sarif) uploaded to GitHub code scanning

CLI invocation:

gosec -fmt sarif -out gosec-results.sarif -stdout \
  -exclude-generated -track-suppressions \
  -exclude=G101,G115,G204,G602,G301,G302,G304,G306 \
  ./...

Suppression Annotations (46 total in non-test files)

Rule	Count	Pattern
G304	19	File inclusion via variable — all validated with isPathWithinDir()
G204	8	Subprocess with variable args — exec.LookPath + separate args
G101	6	Credentials — false positives (GitHub Actions $\{\{ }} templates)
G115	6	Integer overflow — display-only conversions
G107	1	URL from variable — trusted workflow config source
G110	1	Decompression bomb — size-checked
G305	1	Path traversal — filepath.Clean + prefix check

Annotation Style Mix

The codebase uses two different suppression styles:

• //nolint:gosec (golangci-lint style) — in 2 workflow compiler files
• #nosec G304 -- justification (native gosec style) — in ~25 files

Since gosec is disabled in golangci-lint (due to config bugs), //nolint:gosec annotations have no effect on the actual gosec scanner. Only #nosec annotations are respected by the standalone gosec tool.

---

Research Findings

🚨 Version Inconsistency — Three Different Versions!

Location	Version
go.mod	v2.24.7
Makefile (security-gosec target)	v2.23.0
.github/workflows/security-scan.yml	v2.22.11
Latest available	v2.25.0 (released 2026-03-19)

The CI security scan is running v2.22.11 — two minor versions behind go.mod. This means 18+ months of bug fixes, false-positive reductions, and new rules are being missed in the security scan that uploads SARIF to GitHub code scanning.

New in v2.25.0 (vs v2.24.7 in go.mod)

• G124 — Insecure HTTP cookie configuration (new)
• G708 — Server-side template injection via text/template (new)
• G709 — Unsafe deserialization of untrusted data (new)
• G120 — Ported from SSA-based to taint analysis (more accurate)
• G701-G706 CWE mappings added (CWE-117, CWE-918)
• Fixed false positives: G115 (guarded int64-to-byte), G117 (custom marshalers), G118 (cancel func patterns)
• Fixed infinite recursion in interprocedural taint analysis
• Fixed panic on ill-typed packages
• grpc dependency bumped 1.75.0 → 1.79.3

---

Improvement Opportunities

🏃 Quick Wins

1. Unify gosec version across go.mod, Makefile, and CI

The Makefile installs gosec@v2.23.0 and CI installs @v2.22.11, but go.mod pins v2.24.7. This defeats the purpose of pinning tools in go.mod. Fix: use go install github.com/securego/gosec/v2/cmd/gosec@$(go list -m -f '\{\{.Version}}' github.com/securego/gosec/v2) or simply drop the hardcoded version so go install respects the module graph.

2. Upgrade to v2.25.0

New false-positive fixes for G115 (guarded int64-to-byte conversions) could reduce some of the 6 existing G115 #nosec annotations. Also fixes taint analysis panics which could affect scan stability.

3. Remove redundant //nolint:gosec annotations

In pkg/workflow/safe_outputs_config_helpers.go and pkg/workflow/compiler_safe_outputs_steps.go, //nolint:gosec annotations are present but gosec is disabled in golangci-lint — these annotations do nothing. They should either be converted to #nosec (for the standalone scanner) or removed.

4. Remove redundant G101 #nosec annotations

G101 is globally excluded via -exclude=G101, so the 6 #nosec G101 annotations in copilot_engine_execution.go are redundant. They can be removed or kept for documentation clarity.

✨ Feature Opportunities

5. Evaluate new rules G124, G708, G709

The project uses HTTP handlers and YAML/template processing. These new rules deserve evaluation:

• G124: Does the project set HTTP cookies? If so, are HttpOnly/Secure flags set?
• G708: Does the project use text/template with user-controlled templates? (Risk of SSTI)
• G709: Any deserialization of untrusted data (e.g., gob, encoding/xml)?

These rules are not yet excluded globally, so they'll start firing on the first v2.25.0 scan.

6. Path-based exclusions for targeted suppression

gosec v2 supports --exclude-rules="path_regex:G204,G304" and a config file format. Instead of globally excluding G204 and G304 for the entire codebase, these could be scoped to specific files where they're legitimately needed (pkg/parser/remote_fetch.go, pkg/cli/*.go).

7. AI-assisted fix suggestions

gosec now supports claude-sonnet-4-0 via -ai-api-provider flag for generating AI-assisted security fix suggestions. This could be integrated into a daily security workflow to auto-suggest fixes for any new findings.

📐 Best Practice Alignment

8. Standardize suppression annotation style

Use #nosec GRule -- justification (native gosec format) consistently. The //nolint:gosec style works only when gosec runs through golangci-lint (which it doesn't here). The project mostly already follows #nosec — just 2 files need updating.

9. gosec re-enablement in golangci-lint

The .golangci.yml comment says gosec was disabled due to "configuration bugs in v2". With v2.25.0, many configuration issues have been fixed. It may be worth re-testing gosec as a golangci-lint linter with the linters-settings.gosec.exclude config to unify tooling.

---

Recommendations (Prioritized)

1. [High] Align CI security-scan.yml to use go.mod's gosec version — currently v2.22.11 in CI vs v2.24.7 in go.mod means CI misses 1.5 years of improvements
2. [High] Upgrade go.mod gosec to v2.25.0 for improved G115/G117/G118 false-positive reduction and new rules
3. [Medium] Evaluate G124/G708/G709 for applicability before upgrading (avoid surprise CI failures)
4. [Low] Convert 2 //nolint:gosec annotations to #nosec in workflow compiler files
5. [Low] Remove 6 redundant #nosec G101 annotations (already globally excluded)

---

Next Steps

• Check if the project uses text/template with user-controlled input (G708 relevance)
• Audit HTTP cookie usage for G124 applicability
• Update version pins and test v2.25.0 scan locally
• File issue to re-evaluate gosec in golangci-lint after v2.25.0 upgrade

---

Module summary saved to: scratchpad/mods/gosec.md

References: §23332930451

AI generated by Go Fan · history

• expires on Mar 21, 2026, 7:23 AM UTC

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-03-21T07:23:23.800Z.

Closed by Workflow