Security

Detects use of MD5 (crypto/md5) which is cryptographically broken — collision attacks are feasible in seconds and GPU cracking reaches 164 billion hashes/second.

Detects use of SHA1 (crypto/sha1) which has a proven collision (SHAttered, 2017) and is deprecated by NIST for all applications through 2030.

Detects use of DES/3DES (crypto/des) — DES uses a 56-bit key exhausted in 22 hours (1999); 3DES is vulnerable to the SWEET32 birthday attack and disallowed by NIST after December 31, 2023.

Detects use of RC4 (crypto/rc4) which is prohibited in TLS by RFC 7465 (2015), has known statistical keystream biases, and is labeled "cryptographically broken" in the Go standard library.

MD5 hash output flows into password-related functions — MD5 runs at 164 billion hashes/second on a single GPU, making any MD5-hashed password database crackable in seconds to minutes.

User-controlled input flows into GORM Raw() or Exec() raw SQL methods without parameterization — GORM's ORM safety guarantees do not apply to Raw/Exec with string concatenation.

User-controlled input flows into GORM query builder methods (Order, Where, Group, Having) that accept raw SQL string fragments — GORM does not escape these clause arguments.

jwt.ParseUnverified() skips signature validation entirely — any attacker can forge arbitrary JWT claims (sub, role, admin) without knowing the signing key.

Detects http.ListenAndServe() starting an unencrypted HTTP server — all traffic including credentials and session tokens travels in plaintext, interceptable by any network observer.

Detects gRPC client using grpc.WithInsecure() or grpc.WithNoTLS() which disables transport encryption — all RPC calls including auth tokens and payloads travel in plaintext.

User-controlled HTTP input reaches file system operations without path validation — filepath.Clean() alone is insufficient; filepath.Join("/uploads", "/etc/passwd") returns "/etc/passwd" in Go.

User-controlled input flows into HTTP redirect functions without URL validation — open redirect enables phishing, OAuth token theft, and malware distribution via trusted-domain URLs.

User-controlled input reaches database/sql query methods without parameterization, enabling SQL injection — ranked

User-controlled HTTP request input reaches os/exec command execution — the critical pattern is exec.Command("sh", "-c", userInput) which enables full shell injection with metacharacters.

Detects credential-named variables (password, secret, api_key, token) being assigned or passed as arguments — hardcoded secrets are exposed in git history, compiled binaries, container images, and CI/CD logs.

User-controlled input reaches sqlx query methods without parameterization — sqlx's convenience wrappers (Get, Select, NamedExec) are also vulnerable when used with raw string concatenation.

User-controlled input flows into go-resty HTTP client calls without URL validation, enabling SSRF attacks that steal cloud metadata credentials or probe internal services.

User-controlled input flows into net/http standard library client methods without URL validation, enabling SSRF attacks against internal services and cloud metadata endpoints.

User input cast to template.HTML, template.CSS, template.JS, or template.URL bypasses Go's context-aware auto-escaping, allowing raw attacker payload to reach the browser.

User input flows into fmt.Fprintf/Fprintln/Fprint writing directly to ResponseWriter — fmt functions perform no HTML escaping, any user-controlled format argument renders as raw HTML in the browser.

User input flows into io.WriteString writing directly to ResponseWriter without HTML escaping — io.WriteString is a raw byte writer that performs no HTML neutralization.