Security Review
Ensures all code follows security best practices and identifies potential vulnerabilities.
When to Activate
- •Handling user input
- •Creating new API endpoints
- •Working with secrets or credentials
- •Implementing authentication/authorization
- •Integrating external services
- •Before production deployments
Security Checklist
1. Secrets Management
- • No hardcoded API keys, tokens, or passwords
- • All secrets via environment variables
- • No secrets in git history
- •
.envfiles in.gitignore
2. Input Validation
- • All user inputs validated
- • File uploads restricted (size, type)
- • No direct use of user input in commands/queries
- • Whitelist validation preferred over blacklist
3. Injection Prevention
- • Parameterized queries (no string concatenation in SQL)
- • Command injection prevention
- • Path traversal prevention
4. Authentication & Authorization
- • Auth checks on every protected endpoint
- • Principle of least privilege
- • Session management secure
- • Brute force protection
5. Error Handling
- • No sensitive data in error messages
- • Generic error messages for users
- • Detailed errors only in server logs
- • No stack traces exposed
6. Go-Specific Security
- • No unsafe pointer usage without justification
- • Goroutine leaks prevented (context cancellation)
- • Race conditions checked (
go test -race) - • crypto/rand for security-critical randomness
- • Proper TLS configuration
7. Dependency Security
bash
# Check for vulnerabilities go list -m all govulncheck ./...
Pre-Commit Security Scan
bash
# Search for hardcoded secrets grep -rn "password\|secret\|api_key\|token\|private_key" --include="*.go" . # Check for TODO security items grep -rn "TODO.*security\|FIXME.*security" --include="*.go" .
Response Protocol
If CRITICAL vulnerability found:
- •STOP all other work
- •Report the finding
- •Suggest immediate fix
- •Check for similar patterns across codebase
- •Recommend secret rotation if needed