Go Module Review: gosec

[github-actions[bot]]

Go Fan Report: gosec (Go Security Checker)

Module Overview

gosec (github.com/securego/gosec) is a comprehensive static analysis security tool that inspects Go source code for security problems by scanning the Go AST and SSA code representation. It's the industry-standard security scanner for Go applications, detecting vulnerabilities like hardcoded credentials, SQL injection, command injection, weak cryptography, and 60+ other security issues.

Version in go.mod: v2.22.11 (latest!)
Repository: https://github.com/securego/gosec
Stars: 8,586+ ⭐
License: Apache 2.0
Maintenance: Highly active (last update 6 days ago)
Sponsor: Mercedes-Benz

Current Usage in gh-aw

gh-aw has an excellent multi-layered security integration with gosec:

1. Build-Time Tool Tracking

Location: tools.go:11

• Tracked as build-time dependency for version consistency
• Ensures gosec is available via go install

2. GitHub Actions Security Workflow

Location: .github/workflows/security-scan.yml:14-37

• Daily scans at 6:00 AM UTC + manual dispatch
• SARIF integration with GitHub Code Scanning
• Results visible in Security tab
• Excludes generated files (best practice)
• ⚠️ Version outdated: Using v2.22.10 (should be v2.22.11)

3. Makefile Integration

Location: Makefile:127-132

• Local security scanning: make security-gosec
• JSON output to gosec-report.json
• Auto-installs gosec if not present
• Includes in make security-scan comprehensive target

4. golangci-lint Integration

Location: .golangci.yml:10

• Enabled in linter suite
• Sensible exclusions:
  • G101: Hardcoded credentials (false positives)
  • G602: Slice bounds (runtime handled)
  • G115: Integer overflow (acceptable)
• File-specific exceptions for docker/git commands

Files Using gosec

• tools.go - Build tool dependency
• .github/workflows/security-scan.yml - CI security scanning
• Makefile - Local security commands
• .golangci.yml - Linter integration
• DEVGUIDE.md - Documentation

Research Findings

What's New in v2.22.11 (Released Dec 11, 2025)

The latest release brings exciting new capabilities:

1. Trojan Source Detection (G116) 🆕

   • Detects Unicode bidirectional control characters
   • Prevents invisible malicious code insertion
   • Critical for supply chain security

2. AI-Powered Vulnerability Fixes 🤖🆕

   • Claude: claude-sonnet-4-0, claude-opus-4-0, etc.
   • Gemini: gemini-2.5-pro, gemini-2.5-flash, etc.
   • OpenAI: gpt-4o, gpt-4o-mini
   • Custom APIs: Azure OpenAI, LocalAI, Ollama
   • Get AI-suggested fixes for security issues!

3. Enhanced Build Tag Parsing

   • Better handling of build constraints
   • More accurate conditional code analysis

4. Performance Improvements

   • Skip SSA analysis if no analyzers loaded
   • Faster scans on large codebases

Security Rules Coverage

gosec implements 60+ security checks across:

• Credentials (G101): Hardcoded secrets
• Crypto (G401-G407): Weak crypto (MD5, SHA1, DES, RC4)
• SQL (G201-G202): SQL injection
• Command (G204): Command injection
• File (G301-G307): File permissions, path traversal
• Network (G102, G402, G114): TLS, timeouts
• Integer (G109, G115): Overflow detection
• Imports (G501-G507): Blocklist weak crypto
• And more: DoS, XSS, SSRF, etc.

Best Practices from Maintainers

1. ✅ Use #nosec [rule] -- justification for false positives
2. ✅ Integrate SARIF output with GitHub Code Scanning
3. ✅ Track suppressions with -track-suppressions
4. ✅ Exclude generated files with -exclude-generated
5. ✅ Use AI-powered fixes for faster remediation
6. ✅ Configure via JSON/YAML file for team consistency

Improvement Opportunities

🏃 Quick Wins (5-10 minutes)

1. Update Workflow to v2.22.11 ⚡ IMMEDIATE

   # .github/workflows/security-scan.yml:29
   - go install github.com/securego/gosec/v2/cmd/gosec@v2.22.10
   + go install github.com/securego/gosec/v2/cmd/gosec@v2.22.11

   Benefit: Get Trojan Source detection (G116), latest security checks

2. Add Suppression Tracking 📝

   # .github/workflows/security-scan.yml:30
   - gosec -fmt sarif -out gosec-results.sarif -exclude-generated ./...
   + gosec -fmt sarif -out gosec-results.sarif -exclude-generated -track-suppressions ./...
   
   # Makefile:131
   - gosec -fmt=json -out=gosec-report.json -stdout -exclude-generated ./...
   + gosec -fmt=json -out=gosec-report.json -stdout -exclude-generated -track-suppressions ./...

   Benefit: Audit trail for all #nosec annotations

3. Add Stdout to Workflow 🖥️

   # .github/workflows/security-scan.yml:30
   - gosec -fmt sarif -out gosec-results.sarif -exclude-generated -track-suppressions ./...
   + gosec -fmt sarif -out gosec-results.sarif -stdout -exclude-generated -track-suppressions ./...

   Benefit: See results in workflow logs without downloading SARIF

4. Version Pin in Makefile 📌

   # Makefile:130
   - `@command` -v gosec >/dev/null || go install github.com/securego/gosec/v2/cmd/gosec@latest
   + `@command` -v gosec >/dev/null || go install github.com/securego/gosec/v2/cmd/gosec@v2.22.11

   Benefit: Reproducible security scans

✨ Feature Opportunities

5. AI-Powered Vulnerability Fixes 🤖 NEW!

   Leverage the new AI fix suggestion feature for automated remediation:

   # Using Claude (recommended for Go code)
   gosec -ai-api-provider="claude-sonnet-4-0" \
         -ai-api-key="$ANTHROPIC_API_KEY" \
         -fmt sarif -out results.sarif ./...
   
   # Using Gemini
   gosec -ai-api-provider="gemini-2.0-flash" \
         -ai-api-key="$GEMINI_API_KEY" \
         -fmt sarif -out results.sarif ./...

   Use Cases:

   • Get AI-suggested fixes in CI comments
   • Automated security fix PRs
   • Learning tool for security best practices
   • Faster vulnerability remediation

6. Human-Readable Security Report 📊

   # Add to Makefile
   .PHONY: security-report
   security-report:
   	`@echo` "Running gosec security scanner..."
   	`@command` -v gosec >/dev/null || go install github.com/securego/gosec/v2/cmd/gosec@v2.22.11
   	gosec -fmt=text -stats -exclude-generated ./...
   	`@echo` "✓ Security report complete"

   Benefit: Quick security overview for developers

7. Pre-Commit Hook Integration 🔒

   Catch security issues before they're committed:

   # .git/hooks/pre-commit
   #!/bin/bash
   echo "Running gosec on staged files..."
   go list -f '{{.Dir}}' ./... | xargs gosec -quiet

   Benefit: Early security detection

📐 Best Practice Alignment

8. Document Security Exclusions 📝

   Create SECURITY.md or update DEVGUIDE.md with:

   • Why each gosec rule is excluded
   • Security review rationale
   • Team decision documentation
   • CWE mapping for compliance

   Benefit: Security audit trail, compliance documentation

9. Centralized gosec Configuration ⚙️

   // .gosec.json
   {
     "global": {
       "nosec": "enabled",
       "audit": "disabled"
     },
     "exclude-generated": true,
     "exclude-dirs": ["vendor", "third_party"]
   }

   Use with: gosec -conf .gosec.json ./...

   Benefit: Team-wide consistency

10. Align Makefile and Workflow Flags 🔄

    Currently inconsistent:

    • Makefile: JSON format, stdout
    • Workflow: SARIF format, no stdout

    Document differences or align for consistency.

🔧 General Improvements

11. CWE Mapping Documentation 🏛️

    Document CWE mappings for:

    • Excluded rules
    • Active security checks
    • Vulnerability categories
    • Compliance requirements

    Benefit: Security audits, compliance reports

12. Verify CI Integration ✅

    Check if make test-security runs in CI:

    • Security regression tests
    • Fuzz test corpus
    • Already implemented in Makefile:114-120

    If not in CI, add to test workflow.

Rating: ⭐⭐⭐⭐ (4/5 - GOOD)

Strengths ✅

• ✅ Comprehensive multi-layer integration
• ✅ Daily automated security scans
• ✅ GitHub Code Scanning integration
• ✅ golangci-lint integration
• ✅ Makefile targets for local use
• ✅ Sensible exclusions with rationale
• ✅ Up-to-date version in go.mod
• ✅ Excludes generated files
• ✅ Documented in DEVGUIDE.md

Areas for Improvement ⚠️

• ⚠️ Workflow version outdated (v2.22.10)
• ⚠️ Missing suppression tracking
• ⚠️ Not using AI-powered fixes
• ⚠️ Inconsistent flags (Makefile vs workflow)
• ⚠️ No stdout in workflow
• ⚠️ Undocumented exclusion rationale

Recommendations

Priority 1: Immediate (Today)

1. ⚡ Update workflow to v2.22.11 - Get Trojan Source detection
2. 📝 Add -track-suppressions flag - Audit trail
3. 📌 Version pin in Makefile - Reproducibility

Time: 10 minutes
Impact: High - Latest security features, better auditability

Priority 2: This Week

4. 🤖 Explore AI-powered fixes - Test with Claude/Gemini
5. 📊 Add make security-report - Human-readable output
6. 📝 Document exclusion rationale - Security review

Time: 2-3 hours
Impact: Medium - Enhanced security workflow, better documentation

Priority 3: Next Sprint

7. 🔒 Pre-commit hook - Early detection
8. ⚙️ Configuration file - Team consistency
9. 🏛️ CWE mapping docs - Compliance

Time: 4-6 hours
Impact: Medium - Process improvements, compliance

Next Steps

For the team to consider:

1. Apply Priority 1 quick wins today (10 min)
2. Evaluate AI-powered fix suggestions for security workflow
3. Create SECURITY.md documenting security practices
4. Consider pre-commit hooks for developer workflow

What makes me excited 🎉:

The AI-powered vulnerability fixes in v2.22.11 are game-changing! Imagine getting Claude Sonnet suggestions for fixing security issues directly in your CI pipeline. This is the future of automated security remediation, and gh-aw is perfectly positioned to leverage it given the existing comprehensive gosec integration.

Conclusion

gh-aw has a solid, production-ready gosec integration earning a 4/5 rating. The foundation is excellent with multi-layer security scanning (GitHub Actions, golangci-lint, Makefile). With just a few quick wins—updating to v2.22.11, adding suppression tracking, and exploring AI-powered fixes—this could easily be a 5/5 integration.

Bottom line: Minor updates will unlock powerful new security capabilities like Trojan Source detection and AI-powered vulnerability remediation. The investment is minimal (10 minutes), the payoff is significant (cutting-edge security tooling).

---

Module summary saved to: specs/mods/gosec.md

References:

• Documentation: (redacted)
• Repository: https://github.com/securego/gosec
• Rules: https://github.com/securego/gosec/blob/master/RULES.md
• AI Fixes: https://github.com/securego/gosec#auto-fixing-vulnerabilities
• CWE Mapping: https://github.com/securego/gosec/blob/master/issue/issue.go#L50

AI generated by Go Fan

[pelikhan]

/plan

[github-actions[bot]]

🎉 Yo ho ho! Plan Command found the treasure and completed successfully! ⚓💰

[github-actions[bot]]

Plan Created ✅

Thank you for the comprehensive gosec analysis! I've created a structured implementation plan to address the improvement opportunities identified.

Created Issues

Parent Tracking Issue: Upgrade gosec integration to v2.22.11 and improve security scanning

Sub-Issues (5 focused tasks):

1. Update GitHub Actions workflow to gosec v2.22.11 - Get Trojan Source detection (G116) and latest security features
2. Add suppression tracking to gosec scans - Create audit trail for #nosec annotations
3. Enable stdout output in security scan workflow - See results in logs without downloading SARIF
4. Pin gosec version in Makefile for reproducibility - Ensure consistent scanning across environments
5. Document gosec security exclusions and rationale - Security audit trail and compliance documentation

Implementation Approach

The plan is divided into two priorities:

Priority 1 (Quick Wins) - Tasks 1-4: ~10-15 minutes total

• Immediate security improvements
• No breaking changes
• High impact for minimal effort

Priority 2 - Task 5: ~1-2 hours

• Better documentation and compliance
• Long-term maintainability
• Security audit preparation

Key Benefits

🔒 Enhanced Security: Trojan Source detection for supply chain protection
📝 Better Auditability: Track all security suppressions
🔄 Reproducibility: Consistent gosec versions across all environments
📊 Improved Visibility: Security results in workflow logs
📖 Documentation: Clear security practices and exclusion rationale

Next Steps

GitHub Copilot agents will work on these issues independently. Each sub-issue has clear acceptance criteria and implementation details.

---

The gosec analysis was excellent - thank you for the detailed research and actionable recommendations!

AI generated by Plan Command for discussion #7599