Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: securego/gosec
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v2.24.0
Choose a base ref
...
head repository: securego/gosec
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v2.24.1
Choose a head ref
  • 10 commits
  • 18 files changed
  • 2 contributors

Commits on Feb 27, 2026

  1. Update to gosec to v2.24.0 in the action and fix the docker image sig… 

    …ning (#1552)

Update the GitHub action to use gosec v2.24.0 and fix the docker image
signing

Signed-off-by: Cosmin Cojocar <cosmin@cojocar.ch>
    @ccojocar
    ccojocar authored Feb 27, 2026
    Configuration menu
    Copy the full SHA
    fd69748 View commit details
    Browse the repository at this point in the history

  2. Extend the release workflow to push the container images also to GHCR 

    The relese process is extended to push also images to GHCR in addition
to DockerHub. This is in preparation to migrate to GHCR after the next
release.

Signed-off-by: Cosmin Cojocar <cosmin@cojocar.ch>
    @ccojocar
    ccojocar committed Feb 27, 2026
    Configuration menu
    Copy the full SHA
    14d95fe View commit details
    Browse the repository at this point in the history

  3. Remove gcmurphy from funding list

    @ccojocar
    ccojocar authored Feb 27, 2026
    Configuration menu
    Copy the full SHA
    c8a396c View commit details
    Browse the repository at this point in the history

Commits on Feb 28, 2026

  1. fix(G705): eliminate false positive when guard type cannot be resolved ( 

    #1554)

* fix(G705): eliminate false positive when guard type cannot be resolved

A guard cannot be satisfied when its type cannot be resolved.
Otherwise gosec fires for code like:
```go
package main

import (
	"fmt"
	"os"
)

func main() {
	fmt.Fprint(os.Stdout, os.Args[1])
}
```
In this case the guard type `http.ResponseWriter` cannot be resolved, all guards (1)
are satisfied and we have a false gosec warning.

Signed-off-by: leonnicolas <leonloechner@gmx.de>

* remove the http package from example

---------

Signed-off-by: leonnicolas <leonloechner@gmx.de>
    @leonnicolas
    leonnicolas authored Feb 28, 2026
    Configuration menu
    Copy the full SHA
    e7eb24d View commit details
    Browse the repository at this point in the history

  2. fix(G120): prevent hang-like analysis blowup in wrapper protection ch… 

    …ecks (#1556)

Summary:
This change fixes the hang/perceived hang reported in issue #1555 when
scanning large codebases with complex SSA graphs. The fix is
intentionally scoped to G120 form parsing analysis only.

Root cause:
G120 wrapper/middleware protection logic repeatedly called
value-dependency checks across many function/call combinations. The
dependency traversal was depth-limited but not memoized, so cyclic and
branch-heavy SSA structures (especially Phi-related paths) caused
repeated re-traversal of the same graph regions and severe runtime
blowup.

What changed:
A cycle-safe, memoized dependency checker was added and used only inside
the G120 form parsing analysis flow. Existing G120 logic was kept
semantically equivalent while replacing repeated raw dependency
traversals with cached checks. Focused regression tests were added for
cyclic Phi graphs to verify both cases: no target reachable (false) and
target reachable (true), including stable repeated evaluation.

Signed-off-by: Cosmin Cojocar <cosmin@cojocar.ch>
    @ccojocar
    ccojocar authored Feb 28, 2026
    Configuration menu
    Copy the full SHA
    9e5b3e2 View commit details
    Browse the repository at this point in the history

  3. Add a SKILL and PROMPT for generating rules with AI (#1557) 

    Signed-off-by: Cosmin Cojocar <cosmin@cojocar.ch>
    @ccojocar
    ccojocar authored Feb 28, 2026
    Configuration menu
    Copy the full SHA
    50c4345 View commit details
    Browse the repository at this point in the history

  4. Add a SKILL and PROMPT for fixing a GitHub issue (#1558) 

    Signed-off-by: Cosmin Cojocar <cosmin@cojocar.ch>
    @ccojocar
    ccojocar authored Feb 28, 2026
    Configuration menu
    Copy the full SHA
    34fe694 View commit details
    Browse the repository at this point in the history

  5. fix(analyzers): avoid SSA dependency cycle blowups in issue #1555 pat… 

    …hs (#1559)

Route redirect dependency checks through the cycle-safe
dependencyChecker instead of raw recursive valueDependsOn traversal.
This ensures Phi-cycle graphs terminate quickly and avoids recursive
work amplification that can look like hangs on large/generated
codebases.

Also remove the nil fallback in dependencyChecker.dependsOn so all
analyzer paths consistently use cycle-aware logic.

Add regression tests covering raw valueDependsOn behavior on:

Phi cycle without target (must return false)
Phi cycle with target path (must return true)
Self-referential Phi node (must return false)

Signed-off-by: Cosmin Cojocar <cosmin@cojocar.ch>
    @ccojocar
    ccojocar authored Feb 28, 2026
    Configuration menu
    Copy the full SHA
    7210bac View commit details
    Browse the repository at this point in the history

  6. chore(prompts): add action version update skill and prompt (#1560)

    @ccojocar
    ccojocar authored Feb 28, 2026
    Configuration menu
    Copy the full SHA
    84df6fa View commit details
    Browse the repository at this point in the history

  7. chore(prompts): add skill and prompt to update supported Go versions (#… 

    …1561)

* chore(prompts): add supported Go version update skill and prompt

* docs: add usage for supported Go version update prompt
    @ccojocar
    ccojocar authored Feb 28, 2026
    Configuration menu
    Copy the full SHA
    a7ab382 View commit details
    Browse the repository at this point in the history
Loading