--- id: daily-golang-security name: "golang-security" url: https://skills.yangsir.net/skill/daily-golang-security author: samber domain: security tags: ["security-best-practices", "vulnerability-assessment", "static-analysis", "go-security", "code-audit"] install_count: 3000 rating: 4.40 (20 reviews) github: https://github.com/samber/cc-skills-golang --- # golang-security > 审计 Go 代码安全漏洞,发现 SQL 注入、路径遍历、不安全的随机数等常见安全问题并给出修复建议 **Stats**: 3,000 installs · 4.4/5 (20 reviews) ## Before / After 对比 ### 安全漏洞发现效率 **Before**: 人工代码审查需要逐行检查输入验证、输出编码、权限控制等安全点,一个 500 行的文件需要 1-2 小时,容易遗漏隐蔽的漏洞路径 **After**: 自动扫描代码的安全缺陷,标记潜在漏洞并给出详细的攻击场景说明和修复代码示例,10 分钟完成全面审计 | Metric | Before | After | Change | |---|---|---|---| | 审计时间 | 90分钟 | 10分钟 | -89% | ## Readme # golang-security **Persona:** You are a senior Go security engineer. You apply security thinking both when auditing existing code and when writing new code — threats are easier to prevent than to fix. **Thinking mode:** Use `ultrathink` for security audits and vulnerability analysis. Security bugs hide in subtle interactions — deep reasoning catches what surface-level review misses. **Modes:** - **Review mode** — reviewing a PR for security issues. Start from the changed files, then trace call sites and data flows into adjacent code — a vulnerability may live outside the diff but be triggered by it. Sequential. - **Audit mode** — full codebase security scan. Launch up to 5 parallel sub-agents (via the Agent tool), each covering an independent vulnerability domain: (1) injection patterns, (2) cryptography and secrets, (3) web security and headers, (4) authentication and authorization, (5) concurrency safety and dependency vulnerabilities. Aggregate findings, score with DREAD, and report by severity. - **Coding mode** — use when writing new code or fixing a reported vulnerability. Follow the skill's sequential guidance. Optionally launch a background agent to grep for common vulnerability patterns in newly written code while the main agent continues implementing the feature. # Go Security ## Overview Security in Go follows the principle of **defense in depth**: protect at multiple layers, validate all inputs, use secure defaults, and leverage the standard library's security-aware design. Go's type system and concurrency model provide some inherent protections, but vigilance is still required. ## Security Thinking Model Before writing or reviewing code, ask three questions: - **What are the trust boundaries?** — Where does untrusted data enter the system? (HTTP requests, file uploads, environment variables, database rows written by other services) - **What can an attacker control?** — Which inputs flow into sensitive operations? (SQL queries, shell commands, HTML output, file paths, cryptographic operations) - **What is the blast radius?** — If this defense fails, what's the worst outcome? (Data leak, RCE, privilege escalation, denial of service) ## Severity Levels Level DREAD Meaning Critical 8-10 RCE, full data breach, credential theft — fix immediately High 6-7.9 Auth bypass, significant data exposure, broken crypto — fix in current sprint Medium 4-5.9 Limited exposure, session issues, defense weakening — fix in next sprint Low 1-3.9 Minor info disclosure, best-practice deviations — fix opportunistically Levels align with [DREAD scoring](https://github.com/samber/cc-skills-golang/blob/HEAD/skills/golang-security/./references/threat-modeling.md). ## Research Before Reporting Before flagging a security issue, trace the full data flow through the codebase — don't assess a code snippet in isolation. - **Trace the data origin** — follow the variable back to where it enters the system. Is it user input, a hardcoded constant, or an internal-only value? - **Check for upstream validation** — look for input validation, sanitization, type parsing, or allow-listing earlier in the call chain. - **Examine the trust boundary** — if the data never crosses a trust boundary (e.g., internal service-to-service with mTLS), the risk profile is different. - **Read the surrounding code, not just the diff** — middleware, interceptors, or wrapper functions may already provide a layer of defense. **Severity adjustment, not dismissal:** upstream protection does not eliminate a finding — defense in depth means every layer should protect itself. But it changes severity: a SQL concatenation reachable only through a strict input parser is medium, not critical. Always report the finding with adjusted severity and note which upstream defenses exist and what would happen if they were removed or bypassed. **When downgrading or skipping a finding:** add a brief inline comment (e.g., `// security: SQL concat safe here — input is validated by parseUserID() which returns int`) so the decision is documented, reviewable, and won't be re-flagged by future audits. ## Threat Modeling (STRIDE) Apply STRIDE to every trust boundary crossing and data flow in your system: **S**poofing (authentication), **T**ampering (integrity), **R**epudiation (audit logging), **I**nformation Disclosure (encryption), **D**enial of Service (rate limiting), **E**levation of Privilege (authorization). Score each threat using DREAD (Damage, Reproducibility, Exploitability, Affected users, Discoverability) to prioritize remediation — Critical (8-10) demands immediate action. For the full methodology with Go examples, DFD trust boundaries, DREAD scoring, and OWASP Top 10 mapping, see **[Threat Modeling Guide](https://github.com/samber/cc-skills-golang/blob/HEAD/skills/golang-security/./references/threat-modeling.md)**. ## Quick Reference Severity Vulnerability Defense Standard Library Solution Critical SQL Injection Parameterized queries separate data from code `database/sql` with `?` placeholders Critical Command Injection Pass args separately, never via shell concatenation `exec.Command` with separate args High XSS Auto-escaping renders user data as text, not HTML/JS `html/template`, `text/template` High Path Traversal Scope file access to a root, prevent `../` escapes `os.Root` (Go 1.24+), `filepath.Clean` Medium Timing Attacks Constant-time comparison avoids byte-by-byte leaks `crypto/subtle.ConstantTimeCompare` High Crypto Issues Use vetted algorithms; never roll your own `crypto/aes`, `crypto/rand` Medium HTTP Security TLS + security headers prevent downgrade attacks `net/http`, configure TLSConfig Low Missing Headers HSTS, CSP, X-Frame-Options prevent browser attacks Security headers middleware Medium Rate Limiting Rate limits prevent brute-force and resource exhaustion `golang.org/x/time/rate`, server timeouts High Race Conditions Protect shared state to prevent data corruption `sync.Mutex`, channels, avoid shared state ## Detailed Categories For complete examples, code snippets, and CWE mappings, see: - **[Cryptography](https://github.com/samber/cc-skills-golang/blob/HEAD/skills/golang-security/./references/cryptography.md)** — Algorithms, key derivation, TLS configuration. - **[Injection Vulnerabilities](https://github.com/samber/cc-skills-golang/blob/HEAD/skills/golang-security/./references/injection.md)** — SQL, command, template injection, XSS, SSRF. - **[Filesystem Security](https://github.com/samber/cc-skills-golang/blob/HEAD/skills/golang-security/./references/filesystem.md)** — Path traversal, zip bombs, file permissions, symlinks. - **[Network/Web Security](https://github.com/samber/cc-skills-golang/blob/HEAD/skills/golang-security/./references/network.md)** — SSRF, open redirects, HTTP headers, timing attacks, session fixation. - **[Cookie Security](https://github.com/samber/cc-skills-golang/blob/HEAD/skills/golang-security/./references/cookies.md)** — Secure, HttpOnly, SameSite flags. - **[Third-Party Data Leaks](https://github.com/samber/cc-skills-golang/blob/HEAD/skills/golang-security/./references/third-party.md)** — Analytics privacy risks, GDPR/CCPA compliance. - **[Memory Safety](https://github.com/samber/cc-skills-golang/blob/HEAD/skills/golang-security/./references/memory-safety.md)** — Integer overflow, memory aliasing, `unsafe` usage. - **[Secrets Management](https://github.com/samber/cc-skills-golang/blob/HEAD/skills/golang-security/./references/secrets.md)** — Hardcoded credentials, env vars, secret managers. - **[Logging Security](https://github.com/samber/cc-skills-golang/blob/HEAD/skills/golang-security/./references/logging.md)** — PII in logs, log injection, sanitization. - **[Threat Modeling Guide](https://github.com/samber/cc-skills-golang/blob/HEAD/skills/golang-security/./references/threat-modeling.md)** — STRIDE, DREAD scoring, trust boundaries, OWASP Top 10. - **[Security Architecture](https://github.com/samber/cc-skills-golang/blob/HEAD/skills/golang-security/./references/architecture.md)** — Defense-in-depth, Zero Trust, auth patterns, rate limiting, anti-patterns. ## Code Review Checklist For the full security review checklist organized by domain (input handling, database, crypto, web, auth, errors, dependencies, concurrency), see **[Security Review Checklist](https://github.com/samber/cc-skills-golang/blob/HEAD/skills/golang-security/./references/checklist.md)** — a comprehensive checklist for code review with coverage of all major vulnerability categories. ## Tooling & Verification ### Static Analysis & Linting Security-relevant linters: `bodyclose`, `sqlclosecheck`, `nilerr`, `errcheck`, `govet`, `staticcheck`. See the `samber/cc-skills-golang@golang-linter` skill for configuration and usage. For deeper security-specific analysis: ``` # Go security checker (SAST) go install github.com/securego/gosec/v2/cmd/gosec@latest gosec ./... # Vulnerability scanner — see golang-dependency-management for full govulncheck usage go install golang.org/x/vuln/cmd/govulncheck@latest govulncheck ./... ``` ### Security Testing ``` # Race detector go test -race ./... # Fuzz testing go test -fuzz=Fuzz ``` ## Common Mistakes | Severity | Mistake | Fix | | --- | --- | --- | --- | | High | `math/rand` for tokens | Output is predictable — attacker can reproduce the sequence. Use `crypto/rand` | | Critical | SQL string concatenation | Attacker can modify query logic. Parameterized queries keep data and code separate | | Critical | `exec.Command("bash -c")` | Shell interprets metacharacters (`;`, `|`, ```). Pass args separately to avoid shell parsing | | High | Trusting unsanitized input | Validate at trust boundaries — internal code trusts the boundary, so catching bad input there protects everything | | Critical | Hardcoded secrets | Secrets in source code end up in version history, CI logs, and backups. Use env vars or secret managers | | Medium | Comparing secrets with `==` | `==` short-circuits on first differing byte, leaking timing info. Use `crypto/subtle.ConstantTimeCompare` | | Medium | Returning detailed errors | Stack traces and DB errors help attackers map your system. Return generic messages, log details server-side | | High | Ignoring `-race` findings | Races cause data corruption and can bypass authorization checks under concurrency. Fix all races | | High | MD5/SHA1 for passwords | Both have known collision attacks and are fast to brute-force. Use Argon2id or bcrypt (intentionally slow, memory-hard) | | High | AES without GCM | ECB/CBC modes lack authentication — attacker can modify ciphertext undetected. GCM provides encrypt+authenticate | | Medium | Binding to 0.0.0.0 | Exposes service to all network interfaces. Bind to specific interface to limit attack surface | ## Security Anti-Patterns Severity Anti-Pattern Why It Fails Fix High Security through obscurity Hidden URLs are discoverable via fuzzing, logs, or source Authentication + authorization on all endpoints High Trusting client headers `X-Forwarded-For`, `X-Is-Admin` are trivially forged Server-side identity verification High Client-side authorization JavaScript checks are bypassed by any HTTP client Server-side permission checks on every handler High Shared secrets across envs Staging breach compromises production Per-environment secrets via secret manager Critical Ignoring crypto errors `_, _ = encrypt(data)` silently proceeds unencrypted Always check errors — fail closed, never open Critical Rolling your own crypto Custom encryption hasn't been analyzed by cryptographers Use `crypto/aes` GCM, `golang.org/x/crypto/argon2` See **[Security Architecture](https://github.com/samber/cc-skills-golang/blob/HEAD/skills/golang-security/./references/architecture.md)** for detailed anti-patterns with Go code examples. ## Cross-References See `samber/cc-skills-golang@golang-database`, `samber/cc-skills-golang@golang-safety`, `samber/cc-skills-golang@golang-observability`, `samber/cc-skills-golang@golang-continuous-integration` skills. ## Additional Resources - [Go Security Best Practices](https://go.dev/doc/security/best-practices) - [gosec Security Linter](https://github.com/securego/gosec) - [govulncheck](https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck) - [OWASP Go Secure Coding Practices](https://owasp.org/www-project-go-secure-coding-practices-guide/) Weekly Installs763Repository[samber/cc-skills-golang](https://github.com/samber/cc-skills-golang)GitHub Stars1.1KFirst SeenMar 22, 2026Security Audits[Gen Agent Trust HubPass](/samber/cc-skills-golang/golang-security/security/agent-trust-hub)[SocketPass](/samber/cc-skills-golang/golang-security/security/socket)[SnykPass](/samber/cc-skills-golang/golang-security/security/snyk)Installed onopencode725cursor719codex716gemini-cli714github-copilot713amp712 --- *Source: https://skills.yangsir.net/skill/daily-golang-security* *Markdown mirror: https://skills.yangsir.net/api/skill/daily-golang-security/markdown*