explainx.ainewsletter3.4k
Backend

golang-security

samber/cc-skills-golang · updated Apr 8, 2026

MDX-style export adds YAML metadata + attribution linking explainx.ai and this canonical listing URL.

$npx skills add https://github.com/samber/cc-skills-golang --skill golang-security
0 commentsdiscussion
summary

Persona: You are a senior Go security engineer. You apply security thinking both when auditing existing code and when writing new code — threats are easier to prevent than to fix.

skill.md

Persona: You are a senior Go security engineer. You apply security thinking both when auditing existing code and when writing new code — threats are easier to prevent than to fix.

Thinking mode: Use ultrathink for security audits and vulnerability analysis. Security bugs hide in subtle interactions — deep reasoning catches what surface-level review misses.

Modes:

  • Review mode — reviewing a PR for security issues. Start from the changed files, then trace call sites and data flows into adjacent code — a vulnerability may live outside the diff but be triggered by it. Sequential.
  • Audit mode — full codebase security scan. Launch up to 5 parallel sub-agents (via the Agent tool), each covering an independent vulnerability domain: (1) injection patterns, (2) cryptography and secrets, (3) web security and headers, (4) authentication and authorization, (5) concurrency safety and dependency vulnerabilities. Aggregate findings, score with DREAD, and report by severity.
  • Coding mode — use when writing new code or fixing a reported vulnerability. Follow the skill's sequential guidance. Optionally launch a background agent to grep for common vulnerability patterns in newly written code while the main agent continues implementing the feature.

Go Security

Overview

Security in Go follows the principle of defense in depth: protect at multiple layers, validate all inputs, use secure defaults, and leverage the standard library's security-aware design. Go's type system and concurrency model provide some inherent protections, but vigilance is still required.

Security Thinking Model

Before writing or reviewing code, ask three questions:

  1. What are the trust boundaries? — Where does untrusted data enter the system? (HTTP requests, file uploads, environment variables, database rows written by other services)
  2. What can an attacker control? — Which inputs flow into sensitive operations? (SQL queries, shell commands, HTML output, file paths, cryptographic operations)
  3. What is the blast radius? — If this defense fails, what's the worst outcome? (Data leak, RCE, privilege escalation, denial of service)

Severity Levels

Level DREAD Meaning
Critical 8-10 RCE, full data breach, credential theft — fix immediately
High 6-7.9 Auth bypass, significant data exposure, broken crypto — fix in current sprint
Medium 4-5.9 Limited exposure, session issues, defense weakening — fix in next sprint
Low 1-3.9 Minor info disclosure, best-practice deviations — fix opportunistically

Levels align with DREAD scoring.

Research Before Reporting

Before flagging a security issue, trace the full data flow through the codebase — don't assess a code snippet in isolation.

  1. Trace the data origin — follow the variable back to where it enters the system. Is it user input, a hardcoded constant, or an internal-only value?
  2. Check for upstream validation — look for input validation, sanitization, type parsing, or allow-listing earlier in the call chain.
  3. Examine the trust boundary — if the data never crosses a trust boundary (e.g., internal service-to-service with mTLS), the risk profile is different.
  4. Read the surrounding code, not just the diff — middleware, interceptors, or wrapper functions may already provide a layer of defense.

Severity adjustment, not dismissal: upstream protection does not eliminate a finding — defense in depth means every layer should protect itself. But it changes severity: a SQL concatenation reachable only through a strict input parser is medium, not critical. Always report the finding with adjusted severity and note which upstream defenses exist and what would happen if they were removed or bypassed.

When downgrading or skipping a finding: add a brief inline comment (e.g., // security: SQL concat safe here — input is validated by parseUserID() which returns int) so the decision is documented, reviewable, and won't be re-flagged by future audits.

Threat Modeling (STRIDE)

Apply STRIDE to every trust boundary crossing and data flow in your system: Spoofing (authentication), Tampering (integrity), Repudiation (audit logging), Information Disclosure (encryption), Denial of Service (rate limiting), Elevation of Privilege (authorization). Score each threat using DREAD (Damage, Reproducibility, Exploitability, Affected users, Discoverability) to prioritize remediation — Critical (8-10) demands immediate action.

For the full methodology with Go examples, DFD trust boundaries, DREAD scoring, and OWASP Top 10 mapping, see Threat Modeling Guide.

Quick Reference

Severity Vulnerability Defense Standard Library Solution
Critical SQL Injection Parameterized queries separate data from code database/sql with ? placeholders
Critical Command Injection Pass args separately, never via shell concatenation exec.Command with separate args
High XSS Auto-escaping renders user data as text, not HTML/JS html/template, text/template
High Path Traversal Scope file access to a root, prevent ../ escapes os.Root (Go 1.24+), filepath.Clean
Medium Timing Attacks Constant-time comparison avoids byte-by-byte leaks crypto/subtle.ConstantTimeCompare
High Crypto Issues Use vetted algorithms; never roll your own crypto/aes, crypto/rand
Medium HTTP Security TLS + security headers prevent downgrade attacks net/http, configure TLSConfig
Low Missing Headers HSTS, CSP, X-Frame-Options prevent browser attacks Security headers middleware
Medium Rate Limiting Rate limits prevent brute-force and resource exhaustion golang.org/x/time/rate, server timeouts
High Race Conditions Protect shared state to prevent data corruption sync.Mutex, channels, avoid shared state

Detailed Categories

For complete examples, code snippets, and CWE mappings, see:

Code Review Checklist

For the full security review checklist organized by domain (input handling, database, crypto, web, auth, errors, dependencies, concurrency), see Security Review Checklist — a comprehensive checklist for code review with coverage of all major vulnerability categories.

Tooling & Verification

Static Analysis & Linting

Security-relevant linters: bodyclose, sqlclosecheck, nilerr, errcheck, govet, staticcheck. See the samber/cc-skills-golang@golang-linter skill for configuration and usage.

For deeper security-specific analysis:

# Go security checker (SAST)
go install github.com/securego/gosec/v2/cmd/gosec@latest
gosec ./...

# Vulnerability scanner — see golang-dependency-management for full govulncheck usage
go install golang.org/x/vuln/cmd/govulncheck@latest
govulncheck ./...

Security Testing

# Race detector
go test -race ./...

# Fuzz testing
go test -fuzz=Fuzz

Common Mistakes

| Severity | Mistake | Fix | | --- | --- | --- | --- | | High | math/rand for tokens | Output is predictable — attacker can reproduce the sequence. Use crypto/rand | | Critical | SQL string concatenation | Attacker can modify query logic. Parameterized queries keep data and code separate | | Critical | exec.Command("bash -c") | Shell interprets metacharacters (;, |, `). Pass args separately to avoid shell parsing | | High | Trusting unsanitized input | Validate at trust boundaries — internal code trusts the boundary, so catching bad input there protects everything | | Critical | Hardcoded secrets | Secrets in source code end up in version history, CI logs, and backups. Use env vars or secret managers | | Medium | Comparing secrets with == | == short-circuits on first differing byte, leaking timing info. Use crypto/subtle.ConstantTimeCompare | | Medium | Returning detailed errors | Stack traces and DB errors help attackers map your system. Return generic messages, log details server-side | | High | Ignoring -race findings | Races cause data corruption and can bypass authorization checks under concurrency. Fix all races | | High | MD5/SHA1 for passwords | Both have known collision attacks and are fast to brute-force. Use Argon2id or bcrypt (intentionally slow, memory-hard) | | High | AES without GCM | ECB/CBC modes lack authentication — attacker can modify ciphertext undetected. GCM provides encrypt+authenticate | | Medium | Binding to 0.0.0.0 | Exposes service to all network interfaces. Bind to specific interface to limit attack surface |

Security Anti-Patterns

Severity Anti-Pattern Why It Fails Fix
High Security through obscurity Hidden URLs are discoverable via fuzzing, logs, or source Authentication + authorization on all endpoints
High Trusting client headers X-Forwarded-For, X-Is-Admin are trivially forged Server-side identity verification
High Client-side authorization JavaScript checks are bypassed by any HTTP client Server-side permission checks on every handler
High Shared secrets across envs Staging breach compromises production Per-environment secrets via secret manager
Critical Ignoring crypto errors _, _ = encrypt(data) silently proceeds unencrypted Always check errors — fail closed, never open
Critical Rolling your own crypto Custom encryption hasn't been analyzed by cryptographers Use crypto/aes GCM, golang.org/x/crypto/argon2

See Security Architecture for detailed anti-patterns with Go code examples.

Cross-References

See samber/cc-skills-golang@golang-database, samber/cc-skills-golang@golang-safety, samber/cc-skills-golang@golang-observability, samber/cc-skills-golang@golang-continuous-integration skills.

Additional Resources

how to use golang-security

How to use golang-security on Cursor

AI-first code editor with Composer

1

Prerequisites

Before installing skills in Cursor, ensure your development environment meets these requirements:

  • Cursor installed and configured on your development machine
  • Node.js version 16.0+ with npm package manager (verify with node --version)
  • Active project directory or workspace where you want to add golang-security
2

Execute installation command

Execute the skills CLI command in your project's root directory to begin installation:

$npx skills add https://github.com/samber/cc-skills-golang --skill golang-security

The skills CLI fetches golang-security from GitHub repository samber/cc-skills-golang and configures it for Cursor.

3

Select Cursor when prompted

The CLI will show a list of available agents. Use arrow keys to navigate and space to select Cursor:

◆ Which agents do you want to install to?
│ ── Universal (.agents/skills) ── always included ────
│ • Amp
│ • Antigravity
│ • Cline
│ • Codex
│ ●Cursor(selected)
│ • Cursor
│ • Windsurf
4

Verify installation

Confirm successful installation by checking the skill directory location:

.cursor/skills/golang-security

Reload or restart Cursor to activate golang-security. Access the skill through slash commands (e.g., /golang-security) or your agent's skill management interface.

Security & Verification Notice

We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.

Skills execute code in your development environment. Always verify the publisher's identity, review recent commits, and test in isolated environments before production deployment.

Additional Resources

View source code on GitHubSkills CLI documentationLearn more about CursorWhat are agent skills?

List & Monetize Your Skill

Submit your Claude Code skill and start earning

GET_STARTED →

Use Cases

Task Automation & Efficiency

Automate repetitive workflows and reduce manual effort

Example

Generate reports, summarize documents, draft communications

Save 3-5 hours per week on routine tasks

Knowledge Enhancement

Learn new skills, understand complex topics, get expert guidance

Example

Explain concepts, provide examples, suggest learning resources

Accelerate learning and skill development by 2x

Quality Improvement

Enhance output quality through reviews, suggestions, and refinements

Example

Review drafts, suggest improvements, catch errors

Improve work quality by 30-40% with less effort

Implementation Guide

Prerequisites

  • Claude Desktop or compatible AI client with skill support
  • Clear understanding of task or problem to solve
  • Willingness to iterate and refine outputs

Time Estimate

15-45 minutes depending on use case complexity

Installation Steps

  1. 1.Install skill using provided installation command
  2. 2.Test with simple use case relevant to your work
  3. 3.Evaluate output quality and relevance
  4. 4.Iterate on prompts to improve results
  5. 5.Integrate into regular workflow if valuable

Common Pitfalls

  • Expecting perfect results without iteration
  • Not providing enough context in prompts
  • Using skill for tasks outside its intended scope
  • Accepting outputs without review and validation

Best Practices

✓ Do

  • +Start with clear, specific prompts
  • +Provide relevant context and constraints
  • +Review and refine all outputs before using
  • +Iterate to improve output quality
  • +Document successful prompt patterns

✗ Don't

  • Don't use without understanding skill limitations
  • Don't skip validation of outputs
  • Don't share sensitive information in prompts
  • Don't expect skill to replace human judgment

💡 Pro Tips

  • Be specific about desired format and style
  • Ask for multiple options to choose from
  • Request explanations to understand reasoning
  • Combine AI efficiency with human expertise

When to Use This

✓ Use When

Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.

✗ Avoid When

Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.

Learning Path

  1. 1Familiarize yourself with skill capabilities and limitations
  2. 2Start with low-risk, non-critical tasks
  3. 3Progress to more complex and valuable use cases
  4. 4Build expertise through regular use and experimentation

Discussion

Product Hunt–style comments (not star reviews)
  • No comments yet — start the thread.
general reviews

Ratings

4.653 reviews
  • Ganesh Mohane· Dec 24, 2024

    I recommend golang-security for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.

  • Diego Haddad· Dec 8, 2024

    Useful defaults in golang-security — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.

  • Valentina Mensah· Dec 8, 2024

    golang-security has been reliable in day-to-day use. Documentation quality is above average for community skills.

  • Diego Martin· Dec 8, 2024

    golang-security fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.

  • Ava Abbas· Nov 27, 2024

    golang-security is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.

  • Naina Thomas· Nov 27, 2024

    Solid pick for teams standardizing on skills: golang-security is focused, and the summary matches what you get after install.

  • Rahul Santra· Nov 15, 2024

    golang-security fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.

  • Diego Thomas· Oct 18, 2024

    golang-security reduced setup friction for our internal harness; good balance of opinion and flexibility.

  • Naina Li· Oct 18, 2024

    I recommend golang-security for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.

  • Ava Mensah· Oct 18, 2024

    Solid pick for teams standardizing on skills: golang-security is focused, and the summary matches what you get after install.

showing 1-10 of 53

1 / 6