golang-security
Secure Go backend services against common vulnerabilities. Use when implementing input validation, crypto, or SQL injection prevention in Go. (triggers: crypto/rand, argon2, sanitize, jwt, bcrypt, validation, input validation, sql injection)
Best use case
golang-security is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Secure Go backend services against common vulnerabilities. Use when implementing input validation, crypto, or SQL injection prevention in Go. (triggers: crypto/rand, argon2, sanitize, jwt, bcrypt, validation, input validation, sql injection)
Teams using golang-security should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/golang-security/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How golang-security Compares
| Feature / Agent | golang-security | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Secure Go backend services against common vulnerabilities. Use when implementing input validation, crypto, or SQL injection prevention in Go. (triggers: crypto/rand, argon2, sanitize, jwt, bcrypt, validation, input validation, sql injection)
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Golang Security Standards ## **Priority: P0 (CRITICAL)** ## Implementation Guidelines ### Input Validation - **Validation**: Use `go-playground/validator` or `google/go-cmp` for struct validation. - **Sanitization**: Sanitize user input before processing. Use `bluemonday` for HTML sanitization. ### Cryptography - **Random**: ALWAYS use `crypto/rand`, NEVER `math/rand` for security-sensitive operations (tokens, keys, IVs). - **Hashing**: Use **Argon2id** for password hashing (`golang.org/x/crypto/argon2`). Do NOT use bcrypt (weaker) or MD5/SHA1 (insecure). Recommended params: `time=1, memory=64MB, threads=4`. - **Encryption**: Use `crypto/aes` with GCM mode for authenticated encryption. ### SQL Injection Prevention - **Parameterized Queries**: ALWAYS use `$1, $2` placeholders with `database/sql` or ORM (GORM, sqlx). - **No String Concatenation**: Never build queries with `fmt.Sprintf()`. ### Authentication - **JWT**: Use `golang-jwt/jwt` v5+. Enforce `RS256` (preferred) or `HS256`. **Reject `none` and symmetric algorithms for multi-service auth**. Validate `alg`, `iss`, `aud`, `exp` claims. - **Sessions**: Use secure, httpOnly cookies with `gorilla/sessions`. ### Secret Management - **Environment Variables**: Load secrets via `godotenv` or Kubernetes secrets. - **No Hardcoding**: Never commit API keys, passwords, or tokens to Git. ## Anti-Patterns - **No `math/rand` for Security**: RNG is predictable. Use `crypto/rand`. - **No `fmt.Sprintf()` for SQL**: Causes SQL injection. Use placeholders. - **No bcrypt or MD5 for Passwords**: Use `argon2id` exclusively. - **No Exposed Error Details**: Don't leak stack traces to clients in production. ## References - [Implementation Examples](references/implementation.md)
Related Skills
spring-boot-security
Configure Spring Security 6+ with Lambda DSL, JWT, and hardening rules. Use when configuring Spring Security 6+, OAuth2, JWT, or security hardening in Spring Boot. (triggers: **/*SecurityConfig.java, **/*Filter.java, security-filter-chain, lambda-dsl, csrf, cors)
react-security
Prevent XSS, secure auth flows, and harden React client-side applications. Use when preventing XSS, securing auth flows, or auditing third-party dependencies in React. (triggers: **/*.tsx, **/*.jsx, dangerouslySetInnerHTML, token, auth, xss)
react-native-security
Secure storage, network traffic, and deep links in React Native mobile apps. Use when implementing secure storage, certificate pinning, or deep link validation in React Native. (triggers: **/*.tsx, **/*.ts, security, keychain, secure-storage, deep-link, certificate-pinning)
php-security
PHP security standards for database access, password handling, and input validation. Use when securing PHP apps against SQL injection, XSS, or weak password storage. (triggers: **/*.php, pdo, password_hash, htmlentities, filter_var)
nextjs-security
Secure Next.js App Router with middleware auth, Server Action validation, CSP headers, and taint APIs. Use when adding authentication middleware, validating Server Action inputs with Zod, or preventing secret leakage to client bundles. (triggers: app/**/actions.ts, middleware.ts, action, boundary, sanitize, auth, jose)
nestjs-security
Implement JWT authentication, RBAC guards, Helmet hardening, and Argon2 hashing in NestJS. Use when adding auth strategies, role-based access control, CSRF protection, or security headers. (triggers: **/*.guard.ts, **/*.strategy.ts, **/auth/**, Passport, JWT, AuthGuard, CSRF, Helmet)
nestjs-security-isolation
Enforce multi-tenant isolation and PostgreSQL Row Level Security in NestJS. Use when enforcing tenant isolation or PostgreSQL RLS in NestJS multi-tenant apps. (triggers: src/modules/**, SECURITY.md, src/migrations/**, RLS, Row Level Security, childId, isolation, access policy)
laravel-security
Harden Laravel apps with Policies for model authorization, Gate-based RBAC, validated mass assignment, and CSRF protection. Use when creating authorization policies, securing env config access, or preventing mass assignment vulnerabilities. (triggers: app/Policies/**/*.php, config/*.php, policy, gate, authorize, env, config)
ios-security
Secure iOS apps with Keychain, biometrics, and data protection. Use when implementing Keychain storage, Face ID/Touch ID, or data protection in iOS. (triggers: **/*.swift, SecItemAdd, kSecClassGenericPassword, LAContext, LocalAuthentication)
golang-tooling
Go developer toolchain — gopls LSP diagnostics, linting, formatting, and vet. Use when setting up Go tooling, running linters, or integrating gopls with Claude Code. (triggers: gopls, golangci-lint, golangci.yml, go vet, goimports, staticcheck, go tooling, go lint)
golang-testing
Write unit tests with table-driven patterns and interface mocking in Go. Use when writing Go unit tests, table-driven tests, or using mock interfaces. (triggers: **/*_test.go, testing, unit tests, go test, mocking, testify)
golang-logging
Standards for structured logging and observability in Golang. Use when adding structured logging or tracing to Go services. (triggers: go.mod, pkg/logger/**, logging, slog, structured logging, zap)