Release 3.2.0 · slimm609/checksec

[3.2.0]

SafeStack detection for ELF binaries.
CFI hardening detection extended to i386 CET and RISC-V Zicfilp/Zicfiss (Zicfilp landing pads, Zicfiss shadow stack), covering RV32 and RV64.
Sanitizer detection (ASAN, UBSAN, MSAN, TSAN, LSAN) by compiler-rt symbol prefix scan.
Selfrando detection via the .txtrp section (restores a checksec.bash check lost in the v3 port).
W^X segment check (SeparateCode): asserts no PT_LOAD segment is both writable and executable, as guaranteed by ld -z separate-code / lld --rosegment.
Stack-clash protection detection via annobin .gnu.build.attributes notes (authoritative on RHEL/Fedora/CentOS toolchains; reports Unknown otherwise).
RPATH/RUNPATH inspection that classifies each entry: relative/empty/world-writable as bad, $ORIGIN or nonexistent as warning, safe absolute as info.
annobin-based FORTIFY/GLIBCXX assertion detection.
CSV output format restored (dropped in the v3 Go port).
Restored listfile, procLibs, per-process Seccomp, and the Fortify breakdown.
--fail-if CI gate: exit non-zero when a required check is not in a good state.
Parallel directory scanning (RunListChecksParallel) over a bounded worker pool (default GOMAXPROCS).
--no-warnings and --color flags; warnings now include filename context.

Full RELRO detection now uses presence semantics for DT_BIND_NOW: any entry in the dynamic section is treated as bind-now, regardless of its d_val. Linkers that set a nonzero (spec-unused) value previously caused Full RELRO binaries to be misclassified as Partial or No RELRO.
CFI .note.gnu.property payload parsing: the GNU note wrapper is now validated and sliced out before walking properties, fixing a false negative where IBT+SHSTK binaries were reported as "NO SHSTK & NO IBT".
PIE detection now distinguishes PIE executables (DF_1_PIE or PT_INTERP present) from shared libraries (reported as DSO), and reports static-PIE binaries as "Static PIE" rather than "PIE Enabled".
NX: a missing PT_GNU_STACK now reports "No GNU_STACK" instead of being conflated with an RWX (NX-disabled) stack.
Canary detection now also matches __stack_chk_guard and __intel_security_cookie, restoring parity with checksec.bash for static/ICC binaries.
CFI is no longer dropped from XML output.
ParseProcMaps now propagates scanner errors and raises the token limit to 1 MiB so long mapping paths no longer truncate.
proc command now validates the PID up front and fails with a clear error on non-numeric input.
Fortify error returns and CFI note parser desync corrected.
procAll now skips kernel threads (kthreadd and its children) and non-ELF files instead of crashing on dangling /proc/<pid>/exe symlinks.
Improved error messages in the proc command.

Typed output pipeline: a uniform Result{Value, Status} return type for all binary checks and a single fileFields registry (column order, JSON keys, XML elements, table headers) — adding a check is now one line, and the "field silently dropped from one format" bug class is structurally prevented.
Check functions (RELRO, RPATH, RUNPATH, SYMBOLS, Fortify) now return errors instead of calling os.Exit(1) directly, making error paths testable and consistent.
Extracted pure helper functions from CFI, Fortify, and dynamic scan logic to enable property-based testing.
Property-based tests (via pgregory.net/rapid) for CFI note parsing, dynamic section scanning, and Fortify helpers; fixture-backed unit tests raise pkg/ coverage to 80.6%. CI now enforces an 80% coverage floor.

Each target ELF is opened exactly once per RunFileChecks (1 os.Open + 1 elf.NewFile) instead of ~9 reopens; a recursive scan of /usr/bin drops from ~18k to ~2k open syscalls.

Added pgregory.net/rapid for property-based testing.
Bumped github.com/u-root/u-root to 0.16.0, github.com/fatih/color to 1.19.0, and github.com/opencontainers/selinux.
Updated Ubuntu base image from 24.04 to 26.04.