[go-fan] Go Module Review: securego/gosec

[github-actions[bot]]

Today's module review: github.com/securego/gosec/v2 v2.23.0 — selected because it was pushed to GitHub just today (2026-02-23), making it the most recently active direct dependency in the project's go.mod.

gosec is the Go security static analysis tool used in gh-aw to scan for security vulnerabilities in source code. It was updated significantly in v2.23.0 with a new taint analysis engine and performance improvements.

---

Current Usage in gh-aw

gosec is used exclusively as a CLI tool, not as a library API. The dependency in go.mod exists to pin the version for reproducibility.

• Files: 4 locations (tools.go, Makefile, security-scan.yml, .golangci.yml)
• Import count: 1 blank import (_ "github.com/securego/gosec/v2/cmd/gosec" in tools.go)
• Key usage: make security-gosec and daily CI scan via .github/workflows/security-scan.yml
• 33 //nolint:gosec annotations in non-test production code
• gosec disabled in golangci-lint due to "configuration bugs in v2" — run separately instead

Current gosec invocation flags

gosec -fmt sarif -out gosec-results.sarif -stdout -exclude-generated -track-suppressions \
  -exclude=G101,G115,G204,G602,G301,G302,G304,G306 ./...

---

Research Findings

Recent Updates (v2.23.0)

The headline feature in v2.23.0 is the taint analysis engine — a significant advancement that tracks user-controlled data flowing through the program to dangerous sinks:

• G703 — SQL injection via taint analysis
• G705 — SSRF (Server-Side Request Forgery) via taint tracking
• G707 (NEW) — SMTP command/header injection via taint analysis
• G122 (NEW) — filepath.Walk/WalkDir symlink TOCTOU race risks
• G123 (NEW) — tls.VerifyPeerCertificate resumption bypass risk

Performance improvements also landed:

• sync.Pool caching in GetCallInfo
• Parallel package processing
• Entropy pre-filtering for secret detection (faster G101-style checks)
• sync.Once for Go version caching

Notable bug fixes:

• Fixed G602 analyzer panic that killed the gosec process
• Fixed nosec comments with trailing open brackets
• Fixed taint analysis false positives (G703, G705)

New CLI feature: --exclude-rules flag for fine-grained path-based rule exclusions.

Best Practices

• Use --exclude-generated to skip auto-generated files (already done ✅)
• Use --track-suppressions to include suppressed items in SARIF (already done ✅)
• Pin gosec version in go.mod via tools pattern (already done ✅)
• Keep excluded rules in sync across Makefile and CI (partially done — see issue below)

---

Improvement Opportunities

🏃 Quick Wins

1. Fix CI version mismatch (actionable)

.github/workflows/security-scan.yml installs gosec@v2.22.11 while go.mod and Makefile both reference v2.23.0. This means:

• CI misses the G602 panic fix from v2.23.0
• CI misses the new taint analysis rules
• The principle of "consistent tool versions across development and CI" (documented in tools.go) is violated

# Current in security-scan.yml (line 29):
go install github.com/securego/gosec/v2/cmd/gosec@v2.22.11

# Should be:
go install github.com/securego/gosec/v2/cmd/gosec@v2.23.0

2. Add G104 path exclusions to reduce inline annotations

logger/logger.go and parser/schedule_fuzzy_scatter.go both check hash.Hash.Write errors to satisfy G104. The .golangci.yml excludes G104 only in _test.go files. These two production files could be added as path-based G104 exclusions (aligning with existing pattern), removing the need for inline //nolint:gosec comments.

✨ Feature Opportunities

3. Enable taint analysis for exec.Command flows

The codebase has ~20+ exec.Command / exec.CommandContext calls across pkg/cli/ and pkg/workflow/. Many are excluded with broad G204 suppression. The new taint analysis engine in v2.23.0 could be used specifically for G703/G705 to check if user-controlled input flows to dangerous sinks — a more precise approach than broad exclusions.

4. Leverage --exclude-rules flag for precision

The new --exclude-rules flag enables path-based rule exclusions directly in the gosec CLI invocation. Currently the project uses global -exclude=G204 which suppresses subprocess checks entirely. Example of more targeted approach:

gosec \
  --exclude-rules 'G204:pkg/cli/actionlint.go' \
  --exclude-rules 'G204:pkg/parser/remote_fetch.go' \
  --exclude-rules 'G304:pkg/parser/frontmatter_content.go' \
  # ... instead of global -exclude=G204,G304

This would catch new G204/G304 violations in new code while still suppressing known-safe ones.

📐 Best Practice Alignment

5. Consolidate exclusion documentation

The project has excellent exclusion docs in scratchpad/gosec.md and .golangci.yml, but the actual gosec invocations in Makefile and CI use command-line -exclude flags. Since gosec v2.23.0 supports configuration files (gosec.toml), a config file could centralize all exclusions so Makefile and CI both use gosec -conf gosec.toml — eliminating the drift between them (which this review found).

🔧 General Improvements

6. The .golangci.yml gosec section is orphaned

The file has extensive exclude-rules for gosec (30+ entries) but gosec is disabled in golangci-lint. This means those exclusion rules in .golangci.yml are documentation-only and have no runtime effect. A comment noting this explicitly (or a link to where the rules are applied) would help future maintainers avoid confusion.

---

Recommendations

Priority	Action	Impact
High	Update security-scan.yml to install gosec@v2.23.0	Fixes panic bug, activates new taint rules
Medium	Add G104 path exclusions for logger.go / schedule_fuzzy_scatter.go	Removes 2 inline suppressions, cleaner code
Medium	Evaluate enabling taint analysis rules (G703, G705)	Better detection of injection risks
Low	Use --exclude-rules for path-based G204 precision	More targeted suppression strategy
Low	Consider gosec.toml config file for centralized exclusion management	Eliminates Makefile/CI drift

---

Next Steps

• Update security-scan.yml line 29: gosec@v2.22.11 → gosec@v2.23.0
• Review the 30+ exclude-rules in .golangci.yml gosec section and add a note clarifying they are reference-only
• Evaluate whether the new taint analysis rules (G703, G705) generate useful signal on this codebase with make security-gosec

---

Module summary saved to: scratchpad/mods/gosec.md

References:

• §22296558298

AI generated by Go Fan

• expires on Feb 24, 2026, 7:28 AM UTC

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-02-24T07:28:58.145Z.

Closed by Workflow