[go-fan] Go Module Review: securego/gosec

[github-actions[bot]]

🐹 Go Fan Report — daily deep-dive into a Go dependency. Today: the security scanner that keeps gh-aw honest.

Module Overview

github.com/securego/gosec/v2 is Go's most widely-used static security analysis tool. It inspects Go AST and SSA representations for security issues across 40+ rules covering: hardcoded credentials, unsafe file operations, integer overflows, subprocess injection, weak cryptography, SQL injection, network binding misconfigurations, and more. Version v2.24.7 landed just 2 days ago (2026-03-01) making this the perfect time to review.

Current Usage in gh-aw

gosec is used exclusively as a developer tool — pinned in tools.go via a blank import to track the binary in go.mod. It is not used as a library at runtime.

• Files with module import: 1 (tools.go)
• Files with suppression annotations: 16 Go files
• Total suppressions: ~24 #nosec / //nolint:gosec annotations

How it runs

Context	Version	Format
make security-gosec (Makefile)	v2.23.0	JSON → gosec-report.json
security-scan.yml CI (daily)	v2.22.11	SARIF → GitHub Security tab
go.mod pinned	v2.24.7	—

Globally excluded rules: G101, G115, G204, G602, G301, G302, G304, G306

Flags used: -exclude-generated -track-suppressions ✅

Suppression inventory by category

View all suppression annotations by rule

Rule	Count	Files	Rationale
G101 (hardcoded credentials)	5	compiler_safe_outputs_steps.go, checkout_manager.go, copilot_engine_execution.go	GitHub Actions expression templates ($\{\{ secrets.X }}) — not real credentials
G115 (integer overflow)	5	render.go	uint→int / uint64→int64 for display formatting; values are display counters
G204 (subprocess exec)	7	poutine.go, zizmor.go, download_workflow.go, shell_completion.go ×2, mcp_inspect_*.go, logs_parsing_firewall.go	exec.Command with separate args (not shell invocation)
G304 (file inclusion)	6	run_workflow_validation.go ×2, poutine.go, shell_completion.go ×2, dispatch_workflow_validation.go ×3	All paths sanitized with filepath.Clean() + boundary validation
G305 (zip path traversal)	1	logs_download.go	Explicit prefix check guards against traversal
G110 (decompression bomb)	1	logs_download.go	1GB size limit applied before decompression

Additionally, 2 files use comment-only acknowledgment (G104) for hash writes that cannot fail in practice.

Research Findings — v2.24.7 (2026-03-01)

Four meaningful changes just landed that affect this project:

Recent Updates

1. G115 false positive fix — "Fix G115 false positives for guarded int64-to-byte conversions" (#1578) — The rule now understands that if a conversion is guarded by an explicit range/bounds check, it's safe. Directly relevant given the G115 suppressions in render.go.

2. SARIF null relationships fix — "fix(sarif): avoid invalid null relationships in SARIF output" (#1569) — SARIF output consumed by security-scan.yml will now produce cleaner results in the GitHub Security tab (rules without CWE no longer emit invalid null relationship entries).

3. Container image migration to GHCR — The gosec Docker image has moved from Docker Hub to ghcr.io/securego/gosec. Relevant if any consumers pull the image directly.

4. Action integration tests — gosec itself now validates GitHub Actions integration on every PR and push, increasing confidence in the SARIF upload workflow used by gh-aw.

Best Practices from Maintainers

• Use -track-suppressions (gh-aw already does ✅)
• Use -exclude-generated (gh-aw already does ✅)
• Upload SARIF to GitHub Security tab (gh-aw already does ✅)
• Use specific rule IDs in #nosec G101 annotations (gh-aw mostly does ✅)
• OSSF Scorecard score: 8.7 — actively maintained and secure supply chain

---

Improvement Opportunities

🏃 Quick Wins

1. Version alignment across tooling (high impact)

Three different versions are running in three contexts:

go.mod:                  v2.24.7   ← most recent, the "source of truth"
Makefile security-gosec: v2.23.0   ← 1 patch behind
security-scan.yml CI:    v2.22.11  ← 2 patches behind (!)

The CI running an older version means security findings from v2.24.7 (like the G115 improvement) aren't reflected in Security tab results. All three should pin v2.24.7.

Relevant lines:

• Makefile:198 — go install github.com/securego/gosec/v2/cmd/gosec@v2.23.0
• .github/workflows/security-scan.yml:29 — go install github.com/securego/gosec/v2/cmd/gosec@v2.22.11

2. Remove stale G602 exclusion

The -exclude=G101,G115,G204,G602,G301,G302,G304,G306 flag in both Makefile and CI includes G602, which was removed from gosec in an earlier version. It's a no-op dead weight that can be cleaned up.

3. Misleading comment in Makefile

Makefile:199 says # Exclusions configured in .golangci.yml (linters-settings.gosec.exclude) but gosec is disabled in golangci-lint. The .golangci.yml settings block documents the intent but doesn't run. The comment could mislead contributors into thinking golangci-lint is enforcing the exclusions.

✨ Feature Opportunities

4. G115 suppression audit opportunity

Now that v2.24.7 improves G115 precision for guarded conversions, it's worth re-running gosec with G115 enabled to see which suppressions in render.go are still needed. The new version understands guarded patterns, so some #nosec G115 annotations may become unnecessary. (Note: the fix specifically targets int64-to-byte; the uint→int conversions in render.go likely still need suppression.)

5. Golangci-lint re-integration investigation

The .golangci.yml comment says: # gosec disabled in golangci-lint due to configuration bugs in v2. With v2.24.7 and golangci-lint's own updates, this is worth re-testing. If it works, the duplicate exclusion rules scattered across .golangci.yml and the Makefile can be consolidated, and gosec findings would surface in PR checks rather than only in nightly CI.

6. SARIF quality improvement (free with version bump)

The SARIF null-relationships fix in v2.24.7 immediately improves output quality in the GitHub Security tab once the CI is updated to v2.24.7. No code change needed — just the version pin.

📐 Best Practice Alignment

7. Consistent suppression annotation style

The codebase mixes two styles:

• #nosec G204 — recognized by standalone gosec binary
• //nolint:gosec — recognized by golangci-lint's gosec integration

Since gosec runs standalone (not via golangci-lint), #nosec GXXX is the canonical style. The //nolint:gosec annotations in compiler_safe_outputs_steps.go and checkout_manager.go won't suppress findings when running make security-gosec directly — though they're currently masked by the global -exclude=G101 flag. Once G101 global exclusion is removed (see below), those annotations would need to use #nosec G101 instead.

8. Revisit blanket G115 exclusion

G115 is globally excluded via -exclude=G115. The project already has good per-site #nosec G115 annotations in render.go with explanatory comments. Removing the global exclusion and relying on targeted suppressions is better practice: future G115 findings elsewhere would be caught rather than silently excluded.

---

Recommendations (Prioritized)

1. Update CI workflow to v2.24.7 (.github/workflows/security-scan.yml:29) — consistency with go.mod and free SARIF quality improvement
2. Update Makefile to v2.24.7 (Makefile:198 and Makefile:403) — same version everywhere
3. Remove dead G602 from -exclude flags in Makefile and CI
4. Fix Makefile comment at line 199 to accurately describe the gosec configuration
5. Investigate golangci-lint re-integration — could simplify the entire security scan setup

---

Next Steps

• Bump gosec to v2.24.7 in Makefile and security-scan.yml
• Clean up G602 exclusion
• Test G115 with targeted suppressions instead of blanket exclusion
• Try golangci-lint with gosec enabled to check if v2 bugs are resolved

---

Module summary saved to: scratchpad/mods/gosec.md
Most recently updated unreviewed dependency — v2.24.7 released 2026-03-01

References:

• §22612442853
• securego/gosec releases
• v2.24.7 release notes

AI generated by Go Fan · history

• expires on Mar 4, 2026, 7:21 AM UTC

[github-actions[bot]]

🤖 Beep boop! The smoke test agent was here!

I've arrived to validate that all systems are go 🚀. Currently running smoke test for workflow run §22613358246. Everything looks nominal from my sensors... or at least that's what I'm telling the humans 😄

📰 BREAKING: Report filed by Smoke Copilot · ◷

[github-actions[bot]]

💥 WHOOSH! 🦸

The Smoke Test Agent swoops in from the agentic shadows!

⚡ KA-POW! Claude Engine v22613358287 has arrived — and ALL SYSTEMS ARE GO! 🚀

"With great agentic power comes great responsibility to test MCP tools!"
— Claude, probably

💫 ZZZAP! The smoke test ran through 17 tests, defeated 15 of them, and gracefully skipped 2 (no threads to resolve, no test PRs to close — the villain escaped this time 🦹).

🌟 Until next time, brave repository... THE SMOKE TEST AGENT WILL RETURN! 💥✨

💥 [THE END] — Illustrated by Smoke Claude · ◷

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-03-04T07:21:54.390Z.

Closed by Workflow