AI Summary: The “awesome-golang-security” repository is a curated collection of security-related resources tailored specifically for the Go programming language. It includes a variety of tools, libraries, and educational materials aimed at enhancing security in Go applications, notably covering aspects such as web framework hardening, static code analysis, and vulnerability management. Key features include middleware for CSRF protection, static analysis tools to identify security vulnerabilities in code, and comprehensive lists of known vulnerabilities for Go libraries.

README

Contents

• Tools
• Educational
• Other
• Contributing

Tools

Web Framework Hardening

• nosurf - CSRF protection middleware for Go.
• gorilla/csrf - Provides Cross-Site Request Forgery (CSRF) prevention middleware for Go web applications & services.
• gorilla/securecookie - Encodes and decodes authenticated and optionally encrypted cookie values for Go web applications.
• secure - Secure is an HTTP middleware for Go that facilitates most of your security needs for web applications.
• unindexed - A drop-in replacement for http.Dir which disables directory indexing.
• beego-security-headers - beego framework filter for easy security headers management.

Libraries

• paseto - Platform-Agnostic Security Tokens implementation in GO (Golang).
• hsts - Go HTTP Strict Transport Security library.
• jwt-go - Golang implementation of JSON Web Tokens (JWT).
• httprobe - Take a list of domains and probe for working HTTP and HTTPS servers.

Static Code Analysis

• safesql - Static analysis tool for Golang that protects against SQL injections. It does not seem to be actively maintained at the moment.
• gosec - Inspects source code for security problems by scanning the Go AST and matching it with a set of rules. Comes bundled in a Docker container securego/gosec.
• gometalinter - Concurrently runs most of the existing go linters and normalizes their output.
• CodeQL - A tool that lets you query your code like data, in order to find vulnerabilities and bugs. See also LGTM.com for pull request integration and running queries in the cloud.
• ChainJacking - Find which of your Go lang direct GitHub dependencies is susceptible to ChainJacking attack.

Vulnerabilities and Security Advisories

• golang-announce - The golang release mailing list. Language-specific security issues are announced here.
• GoCenter Security and JFrog VSCode Extension for Go - Free vulnerability data around Go Modules
• snyk Vulnerability DB - Commercial but free listing of known vulnerabilities in libraries.
• Common Vulnerabilities and Exposures - Vulnerabilities that were assigned a CVE. Covers the language and packages.
• National Vulnerability Database - Golang known vulnerabilities in the National Vulnerability Database.

Private Key Infrastructure

• CloudFlare SSL - CFSSL is CloudFlare’s PKI/TLS swiss army knife. It is both a command line tool and an HTTP API server for signing, verifying, and bundling TLS certificates.

Educational

Hacking Playground

• govwa - A vulnerable golang application including the most common vulnerabilities found in web applications today.
• Lambhack - A very vulnerable serverless application in AWS Lambda.

Articles, Guides & Talks

• gosea - Go Secure Example Application (GOSEA).
• Go - Secure Coding Practices by OWASP - [PDF] Talk given by Sulhaedir at the OWASP Jakarta meetup.
• OWASP Go - Secure Coding Practices by Checkmarx - Go programming language secure coding practices guide.
• Memory Security in golang - Handling data securely in memory.
• A Go Programmer’s Guide to Secure Connections - [Video] GopherCon 2018, Liz Rice.
• golang-tls - Simple Golang HTTPS/TLS Examples.
• Hacking with Go - Hacking with Go for security professionals.
• ReDoS in Go by Checkmarx - Diving Deep into Regular Expression Denial of Service (ReDoS) in Go.
• Attacking Go: A detailed description on Security assessment techniques for Go projects.

Other

Reporting Bugs

• Go Security Policy

Contributing

Found an awesome project, package, article, or another type of resources related to golang Security? Submit a pull request! Just follow the guidelines. Thank you!

License