Security
This page provides resources for Go developers to improve security for their projects.
(See also: Security Best Practices for Go Developers.)
Find and fix known vulnerabilities¶
Go’s vulnerability detection aims to provide low-noise, reliable tools for developers to learn about known vulnerabilities that may affect their projects. For an overview, start at this summary and FAQ page about Go’s vulnerability management architecture. For an applied approach, explore the tools below.
Scan code for vulnerabilities with govulncheck¶
Developers can use the govulncheck tool to determine whether any known vulnerabilities affect their code and prioritize next steps based on which vulnerable functions and methods are actually called.
Detect vulnerabilities from your editor¶
The VS Code Go extension checks third-party dependencies and surfaces relevant vulnerabilities.
Find Go modules to build upon¶
Pkg.go.dev is a website for discovering, evaluating and learning more about Go packages and modules. When discovering and evaluating packages on pkg.go.dev, you will see a banner on the top of a page if there are vulnerabilities in that version. Additionally, you can see the vulnerabilities impacting each version of a package on the version history page.
Browse the vulnerability database¶
The Go vulnerability database collects data directly from Go package maintainers as well as from outside sources such as MITRE and GitHub. Reports are curated by the Go Security team.
- Browse reports in the Go vulnerability database
- View the Go Vulnerability Database documentation
- Contribute a public vulnerability to the database
Report security bugs in the Go project¶
Security Policy¶
Consult the Security Policy for instructions on how to report a vulnerability in the Go project. The page also details the Go security team’s process of tracking issues and disclosing them to the public. See the release history for details about past security fixes. Per the release policy, we issue security fixes to the two most recent major releases of Go.
Test unexpected inputs with fuzzing¶
Go native fuzzing provides a type of automated testing which continuously manipulates inputs to a program to find bugs. Go supports fuzzing in its standard toolchain beginning in Go 1.18. Native Go fuzz tests are supported by OSS-Fuzz.
Secure services with Go’s cryptography libraries¶
Go’s cryptography libraries aim to help developers build secure applications. See documentation for the crypto packages and golang.org/x/crypto/.