This document describes the security analysis tools and processes used in the go-locate project.

The project uses multiple security analysis tools to ensure code security:

gosec performs static security analysis of Go code by scanning the Go AST and SSA code representation. It detects common security issues like hardcoded credentials, insecure TLS configurations, and SQL injection vulnerabilities.

govulncheck is the official Go vulnerability scanner that checks for known vulnerabilities in Go modules. It analyzes your codebase and dependencies to identify vulnerabilities that actually affect your code, reducing noise by only reporting issues in functions your code actually calls.

errcheck is a Go static analysis tool that checks for unchecked errors in Go code. It ensures that error return values are properly handled, which is crucial for robust and secure applications. Unhandled errors can lead to unexpected behavior, resource leaks, and security vulnerabilities.

revive is a fast, configurable, and extensible linter for Go that enforces coding standards and best practices. It's integrated into our golangci-lint configuration and provides rules for naming conventions, code style, error handling patterns, and more. This helps maintain consistent, readable, and maintainable code across the project.

Syft is a powerful CLI tool and Go library for generating Software Bill of Materials (SBOM) from container images and filesystems. It provides detailed visibility into packages and dependencies, helping manage vulnerabilities, license compliance, and software supply chain security. Syft supports multiple SBOM formats including SPDX, CycloneDX, and its own native format.

The project uses the official anchore/sbom-action GitHub Action for automated SBOM generation in CI/CD pipelines, which provides seamless integration with GitHub workflows and automatic release asset uploads. The SPDX format SBOM is also automatically submitted to GitHub's Dependency Graph for enhanced dependency tracking and vulnerability alerts.

• make security-scan - Run gosec security scanner with SARIF output
• make security-scan-json - Run gosec security scanner with JSON output
• make security-scan-html - Run gosec security scanner with HTML output
• make security-scan-ci - Run gosec security scanner for CI (no-fail mode)

• make vuln-check - Run govulncheck vulnerability scanner
• make vuln-check-json - Run govulncheck with JSON output
• make vuln-check-ci - Run govulncheck for CI (no-fail mode)

• make errcheck - Check for unchecked errors in Go code

• make sbom-generate - Generate SBOM with Syft (JSON format)
• make sbom-syft - Generate SBOM in Syft JSON format (alias for sbom-generate)
• make sbom-spdx - Generate SBOM in SPDX JSON format
• make sbom-cyclonedx - Generate SBOM in CycloneDX JSON format
• make sbom-all - Generate SBOM in all supported formats
• make sbom-ci - Generate SBOM for CI pipeline (quiet mode)

• make check-all - Run all code quality checks including error checking, security, vulnerability scans and SBOM generation

The gosec scanner is configured via the .gosec.json file in the project root. This configuration:

• Enables security auditing and nosec directive handling
• Configures specific rules for credential detection (G101), error handling (G104), and other security checks
• Excludes test files from certain security checks where appropriate
• Excludes vendor directories and test data from scanning

The errcheck tool is configured via the .errcheck_excludes.txt file which excludes common safe patterns:

• File close operations in defer statements
• Output operations to stdout/stderr
• Printf family functions that rarely fail
• Buffer write operations with predictable behavior

Security and vulnerability scanning is integrated into the CI/CD pipeline via GitHub Actions:

• gosec: Static security analysis runs on every push and PR
• govulncheck: Vulnerability detection runs on every push and PR
• errcheck: Error handling analysis runs on every push and PR
• revive: Code style and naming conventions (via golangci-lint)
• testify: Comprehensive unit testing framework for robust test coverage
• Syft: Software Bill of Materials (SBOM) generation using anchore/sbom-action for supply chain security
• Trivy: Additional vulnerability scanning for comprehensive coverage
• Nancy: Sonatype vulnerability checking
• OpenSSF Scorecard: Security posture assessment

• Runs on every push to main branch
• Runs on pull requests
• Scheduled weekly scans (Tuesdays at 07:20 UTC)
• Results uploaded to GitHub Security tab
• SARIF and JSON reports stored as artifacts
• SBOM automatically uploaded as release assets when creating GitHub releases

The following gosec rules are actively monitored:

• G101: Hard coded credentials detection
• G401: Weak cryptographic hashes (MD5, SHA1)
• G402: Insecure TLS connection settings
• G404: Insecure random number sources

• G201: SQL query construction using format strings
• G202: SQL query construction using string concatenation
• G204: Command execution audit

• G301: Poor file permissions when creating directories
• G302: Poor file permissions with chmod
• G306: Poor file permissions when writing files

• G104: Audit unchecked errors
• G115: Integer overflow detection

For legitimate cases where security warnings are false positives, use the #nosec annotation:

// Example: Acceptable use of weak random for non-security purposes
randomValue := rand.Intn(100) // #nosec G404 -- Used for test data generation only

1. Install all security tools:

   make install-tools

2. Run all security checks:

   make check-all

Static Security Analysis (gosec):

make security-scan          # SARIF output
make security-scan-json     # JSON output
make security-scan-html     # HTML output

Vulnerability Detection (govulncheck):

make vuln-check             # Standard output
make vuln-check-json        # JSON output

Error Handling Analysis (errcheck):

make errcheck               # Check for unchecked errors

Software Bill of Materials (Syft):

make sbom-generate          # Syft JSON format
make sbom-spdx              # SPDX JSON format
make sbom-cyclonedx         # CycloneDX JSON format
make sbom-all               # All formats

# View gosec results
cat gosec-report.sarif
cat gosec-report.json

# View govulncheck results
cat vulncheck-report.json

# View SBOM results
cat sbom.syft.json          # Syft JSON format
cat sbom.spdx.json          # SPDX JSON format
cat sbom.cyclonedx.json     # CycloneDX JSON format

The project maintains continuous security monitoring through:

1. Automated Scanning: Every code change triggers security analysis
2. Dependency Monitoring: Regular checks for vulnerable dependencies
3. SBOM Generation: Software Bill of Materials created for supply chain visibility
4. Security Advisories: GitHub Security Advisory monitoring
5. SARIF Integration: Results integrated with GitHub Security tab

1. Never commit secrets: Use environment variables or secure secret management
2. Validate input: Always validate and sanitize user input
3. Use strong cryptography: Prefer secure algorithms and proper key management
4. Handle errors: Never ignore security-related errors
5. Principle of least privilege: Use minimal required permissions
6. Regular updates: Keep dependencies updated with security patches

Current Status: gosec v2.22.5 uses hardcoded CWE (Common Weakness Enumeration) taxonomy version 4.4 released on March 15, 2021.

Latest Available: CWE taxonomy version 4.17 was released on April 3, 2025.

Impact:

• SARIF reports contain outdated CWE classifications
• Newer weakness categories and updated descriptions are not available
• Security tooling integration may reference deprecated CWE entries

Workaround:

• This is a limitation of the gosec tool itself, not our configuration
• gosec hardcodes the CWE version in its source code without configuration options
• Consider upgrading gosec when newer versions with updated CWE taxonomy become available

Tracking: Monitor gosec releases for CWE taxonomy updates

If you discover a security vulnerability, please report it privately to the maintainers through GitHub Security Advisories rather than opening a public issue.