go-security

Use when writing, reviewing, or auditing Go code for security. Covers input validation, SQL injection prevention, path traversal, secrets management, cryptography, HTTP security headers, and dependency scanning.

6 stars

Best use case

go-security is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Use when writing, reviewing, or auditing Go code for security. Covers input validation, SQL injection prevention, path traversal, secrets management, cryptography, HTTP security headers, and dependency scanning.

Teams using go-security should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/go-security/SKILL.md --create-dirs "https://raw.githubusercontent.com/saisudhir14/golang-agent-skill/main/skills/go-security/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/go-security/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How go-security Compares

Feature / Agentgo-securityStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Use when writing, reviewing, or auditing Go code for security. Covers input validation, SQL injection prevention, path traversal, secrets management, cryptography, HTTP security headers, and dependency scanning.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# Go Security

Secure coding patterns for production Go. Covers OWASP top risks as they apply to Go.

## SQL Injection Prevention

Always use parameterized queries. Never interpolate user input into SQL strings.

```go
// Wrong: SQL injection
query := "SELECT * FROM users WHERE id = '" + id + "'"
db.Query(query)

// Correct: parameterized query
db.QueryContext(ctx, "SELECT * FROM users WHERE id = $1", id)
```

This applies to all database drivers. The placeholder syntax varies (`$1` for postgres, `?` for mysql).

## Path Traversal Prevention

### os.Root (Go 1.24+)

Use `os.Root` for scoped file access. Paths are resolved within the root directory and cannot escape it.

```go
root, err := os.OpenRoot("/var/data/uploads")
if err != nil {
    return err
}
defer root.Close()

// Safe: "../etc/passwd" is rejected
f, err := root.Open(userProvidedFilename)
if err != nil {
    return err
}
defer f.Close()
```

### Pre-Go 1.24

Use `filepath.Clean` and verify the result stays within the intended directory:

```go
cleaned := filepath.Clean(userInput)
absPath := filepath.Join(baseDir, cleaned)

// Verify the path is still under baseDir
if !strings.HasPrefix(absPath, filepath.Clean(baseDir)+string(os.PathSeparator)) {
    return fmt.Errorf("path traversal: %s", userInput)
}
```

## Input Validation

Validate all external input at system boundaries. Internal code can trust validated data.

```go
func parseUserID(raw string) (int64, error) {
    id, err := strconv.ParseInt(raw, 10, 64)
    if err != nil {
        return 0, fmt.Errorf("invalid user ID %q: %w", raw, err)
    }
    if id <= 0 {
        return 0, fmt.Errorf("user ID must be positive, got %d", id)
    }
    return id, nil
}
```

For structured input, decode into typed structs and validate fields:

```go
var req CreateUserRequest
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
    http.Error(w, "invalid request body", http.StatusBadRequest)
    return
}
if err := req.Validate(); err != nil {
    http.Error(w, err.Error(), http.StatusBadRequest)
    return
}
```

## Secrets Management

Never hardcode secrets. Never log them.

```go
// Wrong: secret in source code
const apiKey = "do-not-hardcode-secrets"

// Wrong: secret in error message or log
slog.Info("connecting", "dsn", os.Getenv("DATABASE_URL"))

// Correct: read from environment, treat as opaque
dsn := os.Getenv("DATABASE_URL")
if dsn == "" {
    return errors.New("DATABASE_URL is required")
}
slog.Info("connecting to database") // no secret in log
```

Use `type Secret string` with a custom `String()` method to prevent accidental logging:

```go
type Secret string

func (s Secret) String() string { return "[REDACTED]" }

func (s Secret) GoString() string { return "[REDACTED]" }

// The actual value is accessible via explicit conversion
dsn := string(cfg.DatabaseURL)
```

## Cryptography

Use the standard library. Do not implement your own crypto.

```go
import "crypto/rand"

// Generate random bytes (for tokens, nonces)
token := make([]byte, 32)
if _, err := rand.Read(token); err != nil {
    return err
}

// Do NOT use math/rand for security-sensitive values
```

### Password Hashing

Use bcrypt or argon2. Never store passwords as plaintext or simple hashes.

```go
import "golang.org/x/crypto/bcrypt"

// Hash a password
hash, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)

// Verify a password
err := bcrypt.CompareHashAndPassword(hash, []byte(password))
```

## HTTP Security

### Timeouts

Always set timeouts on HTTP servers and clients. Default zero value means no timeout.

```go
srv := &http.Server{
    Addr:         ":8080",
    Handler:      handler,
    ReadTimeout:  5 * time.Second,
    WriteTimeout: 10 * time.Second,
    IdleTimeout:  120 * time.Second,
}

client := &http.Client{
    Timeout: 10 * time.Second,
}
```

### Response Headers

```go
func securityHeaders(next http.Handler) http.Handler {
    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
        w.Header().Set("X-Content-Type-Options", "nosniff")
        w.Header().Set("X-Frame-Options", "DENY")
        w.Header().Set("Content-Security-Policy", "default-src 'self'")
        next.ServeHTTP(w, r)
    })
}
```

### Close Response Bodies

Unclosed HTTP response bodies leak connections:

```go
resp, err := client.Do(req)
if err != nil {
    return err
}
defer resp.Body.Close()
```

## Dependency Scanning

Keep dependencies up to date and scan for known vulnerabilities:

```bash
# Check for known vulnerabilities (built into Go)
go install golang.org/x/vuln/cmd/govulncheck@latest
govulncheck ./...

# Update all dependencies
go get -u ./...
go mod tidy
```

Run `govulncheck` in CI. It checks your code against the Go vulnerability database and only reports vulnerabilities in functions you actually call.

## Concurrency Safety

Shared mutable state without synchronization is a data race and a security risk. Use the race detector in tests:

```bash
go test -race ./...
```

Always run tests with `-race` in CI. Data races can cause memory corruption, which in certain contexts is exploitable.

Related Skills

go-testing

6
from saisudhir14/golang-agent-skill

Use when writing, reviewing, or debugging Go tests and benchmarks. Covers table-driven tests, parallel execution, go-cmp, T.Context, T.Chdir, b.Loop, synctest for deterministic concurrency testing, and test failure messages.

go-project-layout

6
from saisudhir14/golang-agent-skill

Use when starting a new Go project, organizing packages, or restructuring an existing Go codebase. Covers standard directory layout, package design, Makefile targets, Dockerfile patterns, and module setup.

go-performance

6
from saisudhir14/golang-agent-skill

Use when writing, reviewing, or optimizing Go code for performance. Covers string operations, memory allocation, preallocating slices and maps, strings.Builder, strconv, container-aware GOMAXPROCS, and runtime considerations for Go 1.25.

go-linting

6
from saisudhir14/golang-agent-skill

Use when setting up linting, configuring golangci-lint, or fixing linter warnings in Go projects. Provides recommended linter sets, golangci-lint configuration, CI integration, and Makefile targets.

go-error-handling

6
from saisudhir14/golang-agent-skill

Use when writing, reviewing, or debugging Go error handling code. Covers error wrapping, sentinel errors, custom error types, error joining, single handling, and error flow patterns. Based on Google and Uber style guides.

go-concurrency

6
from saisudhir14/golang-agent-skill

Use when writing, reviewing, or debugging concurrent Go code. Covers goroutine lifecycle management, channels, errgroup, mutexes, atomics, sync.Map, and synchronous-first design. Based on Google and Uber style guides.

go-code-review

6
from saisudhir14/golang-agent-skill

Use when reviewing Go code or preparing code for review. Quick-reference checklist covering naming, error handling, concurrency, testing, imports, documentation, and common pitfalls. Based on Go Wiki CodeReviewComments.

golang

6
from saisudhir14/golang-agent-skill

Use when writing, reviewing, or refactoring Go code. Provides production best practices for Go covering error handling, concurrency, naming, testing, performance, generics, iterators, and common pitfalls. Distilled from Google Go Style Guide, Uber Go Style Guide, Effective Go, and Go Code Review Comments. Updated for Go 1.25.

triaging-security-incident

16
from plurigrid/asi

Performs initial triage of security incidents to determine severity, scope, and required response actions using the NIST SP 800-61r3 and SANS PICERL frameworks. Classifies incidents by type, assigns priority based on business impact, and routes to appropriate response teams. Activates for requests involving incident triage, security alert classification, severity assessment, incident prioritization, or initial incident analysis.

triaging-security-incident-with-ir-playbook

16
from plurigrid/asi

Classify and prioritize security incidents using structured IR playbooks to determine severity, assign response teams, and initiate appropriate response procedures.

triaging-security-alerts-in-splunk

16
from plurigrid/asi

Triages security alerts in Splunk Enterprise Security by classifying severity, investigating notable events, correlating related telemetry, and making escalation or closure decisions using SPL queries and the Incident Review dashboard. Use when SOC analysts face queued alerts from correlation searches, need to prioritize investigation order, or must document triage decisions for handoff to Tier 2/3 analysts.

tizen-security-compliance

16
from plurigrid/asi

Maps security requirements to implementation. Coordinates compliance against FIPS 140-3, OCF, CommonCriteria, and Tizen specification.