Releases: securego/gosec
Releases · securego/gosec
v2.27.1
v2.27.0
Immutable
release. Only release title and notes can be modified.
Changelog
- 0a5c650 Downgrade the jsonschema dep to v0.13.0 due to incompatibility with anthropick-sdk-go (#1686)
- b48e668 Update all dependencies (#1685)
- bd17b25 Downgrade the github.com/invopop/jsonschema v0.13.0 to solve incopatibility with anthropic-sdk (#1683)
- c6f8c3d Update all dependencies (#1682)
- 5676cbc Update vulnerabilities alerts for indirect dependencies
- ce167d4 Pin dependencies (#1681)
- 74b726d Skip pining for my repos
- a68f882 Update renovate configuration
- 2f8791b Fix typo
- ad3778a Update branch config in renovate config
- b1583fe Migrate config renovate.json (#1678)
- 139e33d Update renovate to refresh the branch creation
- f3c03eb Update the renovate branch prefix
- 85814f2 Update renovate config to pin the actions dependencies by digests (#1676)
- 55f0519 Migrate the html remport to react v19. (#1675)
- 6ad4476 Manually update version to fix renovate (#1674)
- 8f88312 feat: integrate Atlas Cloud provider (#1672)
- 6351b0c Refactor error position parsing to support path with colon. (#1673)
- de65614 Add two options to require rule ID and justificaiton for inline annotations (#1671)
- e354c57 Fix false positive in G118 when cancel is stored in a slice/map (#1670)
- 4161f0b chore(go): update supported Go versions to 1.25.10 and 1.26.3 (#1669)
- b4f2934 Harden the github workflows and action (#1665)
- b7aca26 Fix justification delimiter in annotation format doc (#1661)
- 945bce7 Update all dependencies (#1664)
- 5f4eec9 Update action to use gosec version v2.26.1 (#1660)
v2.26.1
v2.25.0
Changelog
- 223e19b chore(deps): bump google.golang.org/grpc from 1.75.0 to 1.79.3 (#1617)
- b23a9e5 fix: allow barry action to access secrets on fork PRs (#1616)
- 355cfa5 fix: reduce G117 false positives for custom marshalers and transformed values (#1614) (#1615)
- 744bfb5 Add barry security scanner as a step in the CI (#1612)
- 4fde15d chore(deps): update all dependencies (#1611)
- dec52c4 fix: prevent taint analysis hang on packages with many CHA call graph edges (#1608) (#1610)
- a0de8b6 Add some skills for claude code to automate some tasks (#1609)
- c2dfcec Add G701-G706 rule-to-CWE mappings and CWE-117, CWE-918 entries (#1606)
- 8aec3f4 fix: skip SSA analysis on ill-typed packages to prevent panic (#1607)
- 1ced32d Port G120 from SSA-based to taint analysis (fixes #1600, #1603) (#1605)
- befce8d fix(G118): eliminate false positive for package-level cancel variables (#1602)
- b7b2c7b feat: add G124 rule for insecure HTTP cookie configuration (#1599)
- 6e66a94 feat: add G709 rule for unsafe deserialization of untrusted data (#1598)
- e7ea237 feat: add G708 rule for server-side template injection via text/template (#1597)
- 8895462 fix(G118): eliminate false positive when cancel is called via struct field in a closure (#1596)
- 619ce21 Fix infinite recursion in interprocedural taint analysis (#1594)
- 0e0eb17 Fix G118 false positive when cancel is stored in returned struct field (#1593)
- 59a9da0 Fix G118 false positive on cancel called inside goroutine closure (#1592)
- cbf46b8 fix(analyzer): per-package rule instantiation eliminates concurrent map crash (#1589)
- c6c3ba8 chore(deps): update all dependencies (#1588)
- c709ed8 fix(G118): treat returned cancel func as called (fixes #1584) (#1585)
- fa74dd7 chore(go): update supported Go versions to 1.25.8 and 1.26.1 (#1583)
- cd1f29e Update the README with the correct version of the Github action for gosec (#1582)
- 5887aee chore(deps): update all dependencies (#1579)
- 6641fcf Fix G115 false positives for guarded int64-to-byte conversions (#1578)
- 3c9c3da Update the container image migration notice (#1576)
- 973e94e chore(action): bump gosec to 2.24.7 (#1575)
v2.24.7
Changelog
- bb17e42 Ignore nosec comments in action integration workflow to generate some warnings (#1573)
- e1502ad Add a workflow for action integration test (#1571)
- f8691bd fix(sarif): avoid invalid null relationships in SARIF output (#1569)
- ade1d0e chore: migrate gosec container image references to GHCR (#1567)
v2.24.6
v2.24.0
Changelog
- 271492b fix: G704 false positive on const URL (#1551)
- 1341aea fix(G705): eliminate false positive for non-HTTP io.Writer (#1550)
- f2262c8 G120: avoid false positive when MaxBytesReader is applied in middleware (#1547)
- 5b580c7 Fix G602 regression coverage for issue #1545 and stabilize G117 TOML test dependency (#1546)
- eba2d15 taint: skip
context.Contextarguments during taint propagation to fix false positives (#1543) - a6381c1 test: add missing rules to formatter report tests (#1540)
- fea9725 chore(deps): update all dependencies (#1541)
- f3e2fac Regenrate the TLS config rule (#1539)
- 200461f Improve documentation (#1538)
- 078a62a Expand analyzer-core test coverage for orchestration, go/analysis adapter logic, and taint integration (#1537)
- ffdc620 Add unit tests for CLI orchestration, TLS config generation, and SSA cache behavior (#1536)
- c13a486 Add G707 taint analyzer for SMTP command/header injection (#1535)
- f61ed31 Add G123 analyzer for tls.VerifyPeerCertificate resumption bypass risk (#1534)
- b568aa1 Add G122 SSA analyzer for filepath.Walk/WalkDir symlink TOCTOU race risks (#1532)
- 1735e5a fix(G602): avoid false positives for range-over-array indexing (#1531)
- caf93d0 Improve taint analyzer performance with shared SSA cache, parallel analyzer execution, and CI regression guard (#1530)
- bd11fbe fix: taint analysis false positives with G703,G705 (#1522)
- e34e8dd Extend the G117 rule to cover other types of serialization such as yaml/xml/toml (#1529)
- b940702 Fix the G117 rule to take the JSON serialization into account (#1528)
- 4f84627 (docs) fix justification format (#1524)
- 36ba72b Add G121 analyzer for unsafe CORS bypass patterns in CrossOriginProtection (#1521)
- 238f982 Add G120 SSA analyzer for unbounded form parsing in HTTP handlers (#1520)
- 89cde27 Add G119 analyzer for unsafe redirect header propagation in CheckRedirect callbacks (#1519)
- 14fdd9c Fix G115 false positives and negatives (Issue #1501) (#1518)
- cec54ec chore(deps): update all dependencies (#1517)
- 2b2077e Add G118 SSA analyzer for context propagation failures that can cause goroutine/resource leaks (#1516)
- a7666f3 Add G113: Detect HTTP Request Smuggling via conflicting headers (CVE-2025-22891, CWE-444) (#1515)
- 47f8b52 Add G408: SSH PublicKeyCallback Authentication Bypass Analyzer (#1513)
- 4f1f362 Add more unit tests to improve coverage (#1512)
- 9344582 Improve test coverage in various areas (#1511)
- 8d1b2c6 Imprve the test coverage (#1510)
- 993c1c4 Fix incorrect detection of fixed iv in G407 (#1509)
- 8668b74 Add support for go 1.26.x and removed support for go 1.24.x (#1508)
- 514225c Fix the sonar report to follow the latest schema (#1507)
- 000384e fix: broken taint analysis causing false positives (#1506)
- 616192c fix: panic on float constants in overflow analyzer (#1505)
- 79956a3 fix: panic when scanning multi-module repos from root (#1504)
- 5736e8b fix: G602 false positive for array element access (#1499)
- 1b7e1e9 Update gosec to version v2.23.0 in the Github action (#1496)
v2.23.0
Changelog
- 398ad54 feat: Support for adding taint analysis engine (#1486)
- 6eacd5c chore(deps): update all dependencies (#1494)
- 181a7cb chore(deps): update all dependencies (#1494)
- e2fa6ab chore(deps): update all dependencies (#1488)
- eb252ba Fix G602 analyzer panic that kills gosec process (#1491)
- 20d71a0 update go version to 1.25.7 (#1492)
- a631af8 Fix URL regexp and remove redundant Google regex patterns (#1485)
- 8968502 feat: implement global cache usage in rules (#1480)
- 04f729c chore(deps): update module google.golang.org/genai to v1.43.0 (#1484)
- ade0e8f refactor: optimize nosec parsing and reduce allocations (#1478)
- d24bbf7 Fix SARIF artifactChanges null validation error (#1483)
- 15cba7f feat: optimize GetCallInfo with per-package sync.Pool caching (#1481)
- 5288673 feat: implement entropy pre-filtering to optimize secret detection (#1479)
- d9a9bcd feat: ensure GoVersion is cached using sync.Once (#1477)
- 516260a Fix #1240: nosec comments now work with trailing open brackets (#1475)
- be0fd6d Debug Build Profiling Support: Code improvement suggestions for PR#1471 (#1476)
- b579523 Update the go version to 1.25.6 and 1.24.12 (#1474)
- bd3c738 G115: Enhance RangeAnalyzer with constant propagation and chained arithmetic support (#1470)
- 6897b36 chore(deps): update all dependencies (#1473)
- 9f20212 feat: support path-based rule exclusions via exclude-rules (#1465)
- 726d847 Optimize analyzer with parallel package processing (#1466)
- 3150b28 feat: add goanalysis package for nogo (#1449)
- 7284e15 Refactor Analyzers: Unify Range Logic & Optimize Allocations (#1464)
- 7a4ccef Optimize G115, G602, G407 analyzers to reduce allocations and memory (#1463)
- 833d791 refactor(g115): improve coverage (#1462)
- 0cc9e01 Refine G407 to improve detection and coverage of hardcoded nonces (#1460)
- 303f84d chore(deps): update all dependencies (#1461)
- 7387d22 Refactor rules to use callListRule base structure (#1458)
- 52f5dbf feat(slice): enhance slice bounds analysis with dynamic bounds handling (#1457)
- 649e2c8 remove deprecated ast.Object (#1455)
- 35a92b4 feat(sql): enhance SQL injection detection with improved string concatenation checks (#1454)
- bc9d2bc feat(rules): enhance subprocess variable checks (#1453)
- 8a5404e feat(resolve): enhance TryResolve to handle KeyValueExpr, IndexExpr, and SliceExpr (#1452)
- 0f6f21c feat: add secrets serialization G117 (#1451)
- 717706e feat(rules): add support for detecting high entropy strings in composite literals (#1447)
- 082deb6 whitelist crypto/rand Read from error checks (#1446)
- 095d529 chore(deps): update all dependencies (#1443)
- c073629 Improve slice bound check (#1442)
- 538a05c docs: add documentation for using gosec with private modules (#1441)
- 2580437 chore(deps): update all dependencies (#1440)
- 872b331 docs: add G116 rule description to README (#1439)
- dcf93a8 Update GitHub action to gosec 2.22.11 (#1438)
v2.22.11
Changelog
- 424fc4c feature: add rule for trojan source (#1431)
- aa2e2fb feat(ai): add OpenAI and custom API provider support (#1424)
- b6eea26 chore: Migrate from gopkg.in/yaml.v3 to go.yaml.in/yaml/v3 (#1437)
- 41f28e2 chore(deps): update module google.golang.org/genai to v1.37.0 (#1435)
- daccba6 refactor: simplify report functions in main.go (#1434)
- d4be287 Update go to 1.25.5 and 1.24.11 in CI (#1433)
- fde7515 chore(deps): update all dependencies (#1425)
- 20c9506 feat(ai): add support for latest Claude models and update provider flags (#1423)
- bd9e372 Bump golang.org/x/crypto from 0.43.0 to 0.45.0 (#1427)
- 7aa7e93 chore(deps): update module golang.org/x/crypto to v0.45.0 [security] (#1428)
- a58917f fix: correct schema with temporary placeholder (#1418)
- 8b0d0b8 perf: skip SSA analysis if no analyzers are loaded (#1419)
- 8a5d01a test: add sarif validation (#1417)
- a8fefd1 chore(deps): update all dependencies (#1421)
- c34cbbf Update go to version 1.25.4 and 1.24.10 in CI (#1415)
- 10cf58a fix: build tag parsing. (#1413)
- d2d7348 chore(deps): update all dependencies (#1411)
- afa853e chore(deps): update all dependencies (#1409)
- 6b2e6e4 chore(deps): update all dependencies (#1408)
- 0adab9d Update gosec to version v2.22.10 in the github action (#1405)
v2.22.10
Changelog
- 6be2b51 Update go to version 1.25.3 and 1.24.9 in CI (#1404)
- fddb942 chore(deps): update all dependencies (#1402)
- f676031 Update go to version 1.25.2 and 2.24.8 in CI (#1401)
- 35f7ec2 chore(deps): update all dependencies (#1399)
- 01029f0 check nil slices, partially check bounds (#1396)
- 34db3de Remove unused target from the makefile
- f5a3b7a Use the ginkgo command install by the dependencies
- 761fcbc Keep the go module at 1.24 version for compatibility reasons
- 2238079 Remove manual test deps
- bb08aa3 fix: text must be supplied when markdown is used
- 23597d2 fix: improve error message of CheckAnalyzers
- 8d7e9d5 fix: log panic on SSA
- 0d8255e chore(deps): update all dependencies
- f9c52aa Update gosec to version v.22.9 in the github action