Skip to content

chore: update github.com/securego/gosec/v2 from v2.23.0 to v2.24.7#19217

Merged
pelikhan merged 2 commits intomainfrom
copilot/update-gosec-dependency
Mar 2, 2026
Merged

chore: update github.com/securego/gosec/v2 from v2.23.0 to v2.24.7#19217
pelikhan merged 2 commits intomainfrom
copilot/update-gosec-dependency

Conversation

Copy link
Contributor

Copilot AI commented Mar 2, 2026
edited
Loading

Bumps github.com/securego/gosec/v2 from v2.23.0 to v2.24.7, picking up a SARIF output fix (null relationships), nosec comment handling changes in the action integration workflow, and container image migration to GHCR.

Dependency changes

  • github.com/securego/gosec/v2 v2.23.0 → v2.24.7
  • github.com/anthropics/anthropic-sdk-go v1.22.0 → v1.26.0 (transitive)
  • github.com/openai/openai-go/v3 v3.18.0 → v3.23.0 (transitive)
  • golang.org/x/net v0.50.0 → v0.51.0 (transitive)
  • google.golang.org/genai v1.45.0 → v1.47.0 (transitive)

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GO111MODULE x_amd64/vet git rev-�� --show-toplevel x_amd64/vet /usr/bin/git -json GO111MODULE 64/pkg/tool/linu--show-toplevel git (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GO111MODULE 64/bin/go git conf�� --get remote.origin.url /opt/hostedtoolcache/node/24.13.1/x64/bin/node -json GO111MODULE x_amd64/vet /opt/hostedtoolcache/node/24.13.1/x64/bin/node (http block)
  • https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha /repos/actions/github-script/git/ref/tags/v8 --jq /usr/bin/git /tmp/go-build376git -trimpath 64/bin/go git remo�� add origin r,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,disp--show-toplevel -json flow x_amd64/vet git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha /tmp/TestHashStability_SameInputSameOutput1316751095/001/stability-test.md -extld=gcc clusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle npx prettier --wgit git de git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha sistency_GoAndJavaScript448389508/001/test-simple-frontmatter.md /tmp/go-build488945756/b003/vet.cfg /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet ck '**/*.cjs' '*git GO111MODULE 64/bin/go /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -uns�� -unreachable=false l /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/compile 852182/b358/_pkggit GO111MODULE 64/bin/go /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha itattributes-test3772620374/.github/workflows GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env runs/20260302-132210-39269/test-3354962824/.github/workflows GO111MODULE /home/REDACTED/work/_temp/uv-python-dir/node GOINSECURE GOMOD GOMODCACHE node (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha -json cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env 4288/001/stability-test.md cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-current x_amd64/vet /usr/bin/git -json GO111MODULE x_amd64/vet git rev-�� --show-toplevel x_amd64/vet /usr/bin/git ub/workflows GO111MODULE x_amd64/vet git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel x_amd64/compile /usr/bin/git -json GO111MODULE 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git -json GO111MODULE cfg git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha GOMODCACHE (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha /tmp/go-build488945756/b418/_pkg_.a -trimpath /usr/bin/git -p github.com/githurev-parse -lang=go1.25 git rev-�� --show-toplevel -goversion /usr/bin/git -c=4 -nolocalimports -importcfg git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git -json cfg 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git -json cfg 64/pkg/tool/linu--show-toplevel git (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v8
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE node /opt�� prettier --check 64/bin/go --ignore-path .prettierignore 64/bin/go go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha "prettier" --che-errorsas sh 64/bin/go tierignore (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha --check scripts/**/*.js 64/bin/go .prettierignore (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha -bool -buildtags /usr/bin/git -errorsas -ifaceassert -nilfunc git rev-�� --show-toplevel -tests /usr/bin/git GOPATH prettier 64/bin/go git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha -bool -buildtags 1/x64/bin/node -errorsas -ifaceassert -nilfunc 1/x64/bin/node rev-�� --show-toplevel s/test.md /usr/bin/git run format:pkg-json modules/@npmcli/--show-toplevel git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --show-toplevel go /usr/bin/git runs/20260302-13git GO111MODULE /home/REDACTED/wor--show-toplevel git rev-�� --show-toplevel node /usr/bin/git --check **/*.cjs /usr/bin/git git (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha /tmp/go-build488945756/b409/_pkg_.a -trimpath /usr/bin/git -p main -lang=go1.25 git -C /tmp/gh-aw-test-runs/20260302-132056-26917/test-114916677 rev-parse /usr/bin/git go1.25.0 -c=4 -nolocalimports git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha -bool -buildtags /usr/bin/git -errorsas -ifaceassert -nilfunc git -C runs/20260302-132210-39269/test-108770695 config /usr/bin/git s/test.md format:pkg-json 64/bin/go git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha --show-toplevel go /usr/bin/git ithub/workflows/git GO111MODULE /node_modules/.b--show-toplevel git rev-�� --show-toplevel node /usr/bin/git --check l 1/x64/bin/node git (http block)
  • https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha k/gh-aw/gh-aw/internal/tools/generate-action-metadata/main.go tmain.go ache/go/1.25.0/x64/pkg/tool/linux_amd64/link GOINSECURE GOMOD GOMODCACHE ache/go/1.25.0/x64/pkg/tool/linux_amd64/link -o 945756/b416/sliceutil.test -trimpath ache/node/24.13.1/x64/bin/node -p github.com/githurev-parse -lang=go1.25 EgQotH8PlVgAH/N0Byzs1MT4wiaWQwbBOo/Qyd34ijUvCPQrQaSejJR/p2vK9XDEgQotH8PlVgAH (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha ck '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.pret.prettierignore GO111MODULE nfig/composer/vendor/bin/bash GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
    • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 GO111MODULE 1/x64/bin/node GOINSECURE GOMOD GOMODCACHE go tion�� -json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
    • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json cfg x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE tions/node_modules/.bin/node GOINSECURE GOMOD GOMODCACHE go tion�� -json GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
    • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE x_amd64/link GOINSECURE GOMOD GOMODCACHE x_amd64/link env -json cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE uC/HOMpbcQyfh4G56Kcj8To/9s4TpGNoAuNCAzS01c-N (http block)
    • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE de_modules/.bin/node GOINSECURE GOMOD GOMODCACHE go tion�� -json GO111MODULE 64/pkg/tool/linux_amd64/link GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linuremote.origin.url (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
    • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json cfg 64/pkg/tool/linux_amd64/vet on; \ echo "���git GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 GO111MODULE 86_64/node GOINSECURE GOMOD GOMODCACHE go tion�� -json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
    • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet tion�� -json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
    • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linuremote.origin.url (http block)
    • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go tion�� -json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
    • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 GO111MODULE x_amd64/link GOINSECURE GOMOD GOMODCACHE x_amd64/link env -json cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE HC/wPHmRHH07drGoremote.origin.url (http block)
    • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 GO111MODULE 64/bin/node GOINSECURE GOMOD GOMODCACHE go tion�� -json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD (http block)
  • https://api.github.com/repos/github/gh-aw/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path prettier --check 64/bin/go **/*.ts **/*.json --ignore-path node /hom�� --check scripts/**/*.js 64/bin/go .prettierignore (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 github.com/githurev-parse -lang=go1.25 go env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet stlo�� -json cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linutest@example.com (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha h ../../../.pret.prettierignore GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha h ../../../.prettierignore GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/nonexistent/repo/actions/runs/12345
    • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linutest@example.com env -json cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/owner/repo/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOSUMDB GOWORK 64/bin/go git -c log.showsignature=false log 64/bin/go -d --format=format:-atomic 18b2cc1df30b go (http block)
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOSUMDB GOWORK 64/bin/go /opt/hostedtoolc/tmp/go-build488945756/b207/vet.cfg -V=f�� (http block)
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go --show-toplevel 64/pkg/tool/linu-c 1/x64/bin/node node /opt�� prettier --write /sh !../../../pkg/wosh --ignore-path ../../../.pretti"prettier" --check 'scripts/**/*.js' --ignore-path .prettierignore go (http block)
  • https://api.github.com/repos/owner/repo/contents/file.md
    • Triggering command: /tmp/go-build488945756/b383/cli.test /tmp/go-build488945756/b383/cli.test -test.testlogfile=/tmp/go-build488945756/b383/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOINSECURE GOMOD GOMODCACHE 852182/b407/impo-buildtags /hom�� che/go-build/e4/-errorsas **/*.cjs 64/bin/go **/*.json --ignore-path ../../../.pretti-bool /opt/hostedtoolc-buildtags (http block)
    • Triggering command: /tmp/go-build1075691614/b383/cli.test /tmp/go-build1075691614/b383/cli.test -test.testlogfile=/tmp/go-build1075691614/b383/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true **/*.ts **/*.json --ignore-path node /opt�� run format:pkg-json 64/bin/go tierignore ache/go/1.25.0/x/home/REDACTED/work/gh-aw/gh-aw/actions/setup/js/node_modules/.bin/prettier /usr/bin/git git (http block)
  • https://api.github.com/repos/test-owner/test-repo/actions/secrets
    • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name npx prettier --cGOSUMDB GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go node /hom�� --check scripts/**/*.js 64/bin/go .prettierignore (http block)
    • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name "prettier" --wriGOINSECURE git 64/bin/go --show-toplevel 64/pkg/tool/linu/opt/hostedtoolcache/node/24.13.1/x64/bin/npm /usr/bin/git sh -c npx prettier --wGOSUMDB git modules/@npmcli/run-script/lib/node-gyp-bin/node --show-toplevel Vqh7QChbBs18WVNt-c /usr/bin/git go (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Original prompt

This section details on the original issue you should resolve

<issue_title>[deps] Update github.com/securego/gosec/v2 from v2.23.0 to v2.24.7</issue_title>
<issue_description>## Summary
Update github.com/securego/gosec/v2 dependency from v2.23.0 to v2.24.7

Current State

  • Package: github.com/securego/gosec/v2
  • Current Version: v2.23.0
  • Proposed Version: v2.24.7
  • Update Type: Minor version jump + multi-patch jump

Why Separate Issue

⚠️ Minor version update with multi-version jump

  • This jumps a minor version (v2.23.0 → v2.24.x) and skips multiple patch releases
  • Includes multiple bug fixes across intermediate versions
  • Changes to SARIF output format may affect integrations
  • Container image references migrated to GHCR — may affect CI setup
  • Needs careful review to avoid breaking security scanning workflows

Safety Assessment

⚠️ Requires careful review

  • Multi-version jump (v2.23.0 → v2.24.7) increases risk of unintended behavior changes
  • SARIF output format changes (fixed null relationships) could affect downstream consumers
  • nosec comment handling changes in action integration workflow
  • Container image migration may affect any Docker-based usage

Changes

Based on the v2.24.7 release notes:

Links

Recommended Action

go get github.com/securego/gosec/v2@v2.24.7
go mod tidy

Testing Notes

  • Run all tests: make test
  • Run security scan: make lint (uses gosec internally)
  • Verify SARIF output if security scan results are consumed downstream
  • Check that existing #nosec comments still work as expected

Generated by Dependabot Dependency Checker

  • expires on Mar 4, 2026, 9:25 AM UTC

Comments on the Issue (you are @copilot in this section)

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@pelikhan
chore: update github.com/securego/gosec/v2 from v2.23.0 to v2.24.7
5fdb1ed 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Update github.com/securego/gosec/v2 from v2.23.0 to v2.24.7 chore: update github.com/securego/gosec/v2 from v2.23.0 to v2.24.7 Mar 2, 2026
@pelikhan pelikhan marked this pull request as ready for review March 2, 2026 13:53
Copilot AI review requested due to automatic review settings March 2, 2026 13:53
Copilot AI reviewed Mar 2, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the repository’s Go module dependencies to use a newer gosec release and associated transitive dependency versions.

Changes:

  • Bump github.com/securego/gosec/v2 from v2.23.0 to v2.24.7
  • Refresh go.mod indirect dependencies and go.sum checksums accordingly

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File Description
go.mod Updates gosec and several indirect Go module versions to align with the new dependency graph.
go.sum Updates checksums and adds/removes transitive modules resulting from the dependency bump.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

go.mod
Comment on lines 18 to 20
github.com/santhosh-tekuri/jsonschema/v6 v6.0.2
github.com/securego/gosec/v2 v2.23.0
github.com/securego/gosec/v2 v2.24.7
github.com/sourcegraph/conc v0.3.0
Copy link

Copilot AI Mar 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The module version bump to github.com/securego/gosec/v2 v2.24.7 won’t affect the actual gosec binary used by this repo: the Makefile still installs gosec@v2.23.0 (Makefile:198 and :403) and the security workflow installs gosec@v2.22.11 (.github/workflows/security-scan.yml:29). To make this PR’s stated gosec upgrade effective (e.g., SARIF output fixes), update those pinned go install ...@... versions (or change them to rely on the tools.go/go.mod version) so they’re consistent with v2.24.7.

Copilot uses AI. Check for mistakes.
@pelikhan pelikhan merged commit 08ea051 into main Mar 2, 2026
65 checks passed
@pelikhan pelikhan deleted the copilot/update-gosec-dependency branch March 2, 2026 14:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[deps] Update github.com/securego/gosec/v2 from v2.23.0 to v2.24.7

3 participants

@pelikhan