Update module github.com/securego/gosec/v2 to v2.27.1

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/securego/gosec/v2	v2.22.11 → v2.27.1

---

Release Notes

securego/gosec (github.com/securego/gosec/v2)

v2.27.1

Compare Source

Changelog

• 9e6a984 Downgrade google lib to avoid min Go version bump (#​1687)

v2.27.0

Compare Source

Changelog

• 0a5c650 Downgrade the jsonschema dep to v0.13.0 due to incompatibility with anthropick-sdk-go (#​1686)
• b48e668 Update all dependencies (#​1685)
• bd17b25 Downgrade the github.com/invopop/jsonschema v0.13.0 to solve incopatibility with anthropic-sdk (#​1683)
• c6f8c3d Update all dependencies (#​1682)
• 5676cbc Update vulnerabilities alerts for indirect dependencies
• ce167d4 Pin dependencies (#​1681)
• 74b726d Skip pining for my repos
• a68f882 Update renovate configuration
• 2f8791b Fix typo
• ad3778a Update branch config in renovate config
• b1583fe Migrate config renovate.json (#​1678)
• 139e33d Update renovate to refresh the branch creation
• f3c03eb Update the renovate branch prefix
• 85814f2 Update renovate config to pin the actions dependencies by digests (#​1676)
• 55f0519 Migrate the html remport to react v19. (#​1675)
• 6ad4476 Manually update version to fix renovate (#​1674)
• 8f88312 feat: integrate Atlas Cloud provider (#​1672)
• 6351b0c Refactor error position parsing to support path with colon. (#​1673)
• de65614 Add two options to require rule ID and justificaiton for inline annotations (#​1671)
• e354c57 Fix false positive in G118 when cancel is stored in a slice/map (#​1670)
• 4161f0b chore(go): update supported Go versions to 1.25.10 and 1.26.3 (#​1669)
• b4f2934 Harden the github workflows and action (#​1665)
• b7aca26 Fix justification delimiter in annotation format doc (#​1661)
• 945bce7 Update all dependencies (#​1664)
• 5f4eec9 Update action to use gosec version v2.26.1 (#​1660)

v2.26.1

Compare Source

Changelog

• 4a3bd8a Update cosign to v3.0.6 (#​1659)

v2.26.0

Compare Source

v2.25.0

Compare Source

Changelog

• 223e19b chore(deps): bump google.golang.org/grpc from 1.75.0 to 1.79.3 (#​1617)
• b23a9e5 fix: allow barry action to access secrets on fork PRs (#​1616)
• 355cfa5 fix: reduce G117 false positives for custom marshalers and transformed values (#​1614) (#​1615)
• 744bfb5 Add barry security scanner as a step in the CI (#​1612)
• 4fde15d chore(deps): update all dependencies (#​1611)
• dec52c4 fix: prevent taint analysis hang on packages with many CHA call graph edges (#​1608) (#​1610)
• a0de8b6 Add some skills for claude code to automate some tasks (#​1609)
• c2dfcec Add G701-G706 rule-to-CWE mappings and CWE-117, CWE-918 entries (#​1606)
• 8aec3f4 fix: skip SSA analysis on ill-typed packages to prevent panic (#​1607)
• 1ced32d Port G120 from SSA-based to taint analysis (fixes #​1600, #​1603) (#​1605)
• befce8d fix(G118): eliminate false positive for package-level cancel variables (#​1602)
• b7b2c7b feat: add G124 rule for insecure HTTP cookie configuration (#​1599)
• 6e66a94 feat: add G709 rule for unsafe deserialization of untrusted data (#​1598)
• e7ea237 feat: add G708 rule for server-side template injection via text/template (#​1597)
• 8895462 fix(G118): eliminate false positive when cancel is called via struct field in a closure (#​1596)
• 619ce21 Fix infinite recursion in interprocedural taint analysis (#​1594)
• 0e0eb17 Fix G118 false positive when cancel is stored in returned struct field (#​1593)
• 59a9da0 Fix G118 false positive on cancel called inside goroutine closure (#​1592)
• cbf46b8 fix(analyzer): per-package rule instantiation eliminates concurrent map crash (#​1589)
• c6c3ba8 chore(deps): update all dependencies (#​1588)
• c709ed8 fix(G118): treat returned cancel func as called (fixes #​1584) (#​1585)
• fa74dd7 chore(go): update supported Go versions to 1.25.8 and 1.26.1 (#​1583)
• cd1f29e Update the README with the correct version of the Github action for gosec (#​1582)
• 5887aee chore(deps): update all dependencies (#​1579)
• 6641fcf Fix G115 false positives for guarded int64-to-byte conversions (#​1578)
• 3c9c3da Update the container image migration notice (#​1576)
• 973e94e chore(action): bump gosec to 2.24.7 (#​1575)

v2.24.7

Compare Source

Changelog

• bb17e42 Ignore nosec comments in action integration workflow to generate some warnings (#​1573)
• e1502ad Add a workflow for action integration test (#​1571)
• f8691bd fix(sarif): avoid invalid null relationships in SARIF output (#​1569)
• ade1d0e chore: migrate gosec container image references to GHCR (#​1567)

v2.24.6

Compare Source

Changelog

• 88835e8 Update gorelease to use the latest cosign bundle argument (#​1565)

v2.24.5

Compare Source

v2.24.4

Compare Source

v2.24.3

Compare Source

v2.24.2

Compare Source

v2.24.1

Compare Source

v2.24.0

Compare Source

Changelog

• 271492b fix: G704 false positive on const URL (#​1551)
• 1341aea fix(G705): eliminate false positive for non-HTTP io.Writer (#​1550)
• f2262c8 G120: avoid false positive when MaxBytesReader is applied in middleware (#​1547)
• 5b580c7 Fix G602 regression coverage for issue #​1545 and stabilize G117 TOML test dependency (#​1546)
• eba2d15 taint: skip context.Context arguments during taint propagation to fix false positives (#​1543)
• a6381c1 test: add missing rules to formatter report tests (#​1540)
• fea9725 chore(deps): update all dependencies (#​1541)
• f3e2fac Regenrate the TLS config rule (#​1539)
• 200461f Improve documentation (#​1538)
• 078a62a Expand analyzer-core test coverage for orchestration, go/analysis adapter logic, and taint integration (#​1537)
• ffdc620 Add unit tests for CLI orchestration, TLS config generation, and SSA cache behavior (#​1536)
• c13a486 Add G707 taint analyzer for SMTP command/header injection (#​1535)
• f61ed31 Add G123 analyzer for tls.VerifyPeerCertificate resumption bypass risk (#​1534)
• b568aa1 Add G122 SSA analyzer for filepath.Walk/WalkDir symlink TOCTOU race risks (#​1532)
• 1735e5a fix(G602): avoid false positives for range-over-array indexing (#​1531)
• caf93d0 Improve taint analyzer performance with shared SSA cache, parallel analyzer execution, and CI regression guard (#​1530)
• bd11fbe fix: taint analysis false positives with G703,G705 (#​1522)
• e34e8dd Extend the G117 rule to cover other types of serialization such as yaml/xml/toml (#​1529)
• b940702 Fix the G117 rule to take the JSON serialization into account (#​1528)
• 4f84627 (docs) fix justification format (#​1524)
• 36ba72b Add G121 analyzer for unsafe CORS bypass patterns in CrossOriginProtection (#​1521)
• 238f982 Add G120 SSA analyzer for unbounded form parsing in HTTP handlers (#​1520)
• 89cde27 Add G119 analyzer for unsafe redirect header propagation in CheckRedirect callbacks (#​1519)
• 14fdd9c Fix G115 false positives and negatives (Issue #​1501) (#​1518)
• cec54ec chore(deps): update all dependencies (#​1517)
• 2b2077e Add G118 SSA analyzer for context propagation failures that can cause goroutine/resource leaks (#​1516)
• a7666f3 Add G113: Detect HTTP Request Smuggling via conflicting headers (CVE-2025-22891, CWE-444) (#​1515)
• 47f8b52 Add G408: SSH PublicKeyCallback Authentication Bypass Analyzer (#​1513)
• 4f1f362 Add more unit tests to improve coverage (#​1512)
• 9344582 Improve test coverage in various areas (#​1511)
• 8d1b2c6 Imprve the test coverage (#​1510)
• 993c1c4 Fix incorrect detection of fixed iv in G407 (#​1509)
• 8668b74 Add support for go 1.26.x and removed support for go 1.24.x (#​1508)
• 514225c Fix the sonar report to follow the latest schema (#​1507)
• 000384e fix: broken taint analysis causing false positives (#​1506)
• 616192c fix: panic on float constants in overflow analyzer (#​1505)
• 79956a3 fix: panic when scanning multi-module repos from root (#​1504)
• 5736e8b fix: G602 false positive for array element access (#​1499)
• 1b7e1e9 Update gosec to version v2.23.0 in the Github action (#​1496)

v2.23.0

Compare Source

Changelog

• 398ad54 feat: Support for adding taint analysis engine (#​1486)
• 6eacd5c chore(deps): update all dependencies (#​1494)
• 181a7cb chore(deps): update all dependencies (#​1494)
• e2fa6ab chore(deps): update all dependencies (#​1488)
• eb252ba Fix G602 analyzer panic that kills gosec process (#​1491)
• 20d71a0 update go version to 1.25.7 (#​1492)
• a631af8 Fix URL regexp and remove redundant Google regex patterns (#​1485)
• 8968502 feat: implement global cache usage in rules (#​1480)
• 04f729c chore(deps): update module google.golang.org/genai to v1.43.0 (#​1484)
• ade0e8f refactor: optimize nosec parsing and reduce allocations (#​1478)
• d24bbf7 Fix SARIF artifactChanges null validation error (#​1483)
• 15cba7f feat: optimize GetCallInfo with per-package sync.Pool caching (#​1481)
• 5288673 feat: implement entropy pre-filtering to optimize secret detection (#​1479)
• d9a9bcd feat: ensure GoVersion is cached using sync.Once (#​1477)
• 516260a Fix #​1240: nosec comments now work with trailing open brackets (#​1475)
• be0fd6d Debug Build Profiling Support: Code improvement suggestions for PR#1471 (#​1476)
• b579523 Update the go version to 1.25.6 and 1.24.12 (#​1474)
• bd3c738 G115: Enhance RangeAnalyzer with constant propagation and chained arithmetic support (#​1470)
• 6897b36 chore(deps): update all dependencies (#​1473)
• 9f20212 feat: support path-based rule exclusions via exclude-rules (#​1465)
• 726d847 Optimize analyzer with parallel package processing (#​1466)
• 3150b28 feat: add goanalysis package for nogo (#​1449)
• 7284e15 Refactor Analyzers: Unify Range Logic & Optimize Allocations (#​1464)
• 7a4ccef Optimize G115, G602, G407 analyzers to reduce allocations and memory (#​1463)
• 833d791 refactor(g115): improve coverage (#​1462)
• 0cc9e01 Refine G407 to improve detection and coverage of hardcoded nonces (#​1460)
• 303f84d chore(deps): update all dependencies (#​1461)
• 7387d22 Refactor rules to use callListRule base structure (#​1458)
• 52f5dbf feat(slice): enhance slice bounds analysis with dynamic bounds handling (#​1457)
• 649e2c8 remove deprecated ast.Object (#​1455)
• 35a92b4 feat(sql): enhance SQL injection detection with improved string concatenation checks (#​1454)
• bc9d2bc feat(rules): enhance subprocess variable checks (#​1453)
• 8a5404e feat(resolve): enhance TryResolve to handle KeyValueExpr, IndexExpr, and SliceExpr (#​1452)
• 0f6f21c feat: add secrets serialization G117 (#​1451)
• 717706e feat(rules): add support for detecting high entropy strings in composite literals (#​1447)
• 082deb6 whitelist crypto/rand Read from error checks (#​1446)
• 095d529 chore(deps): update all dependencies (#​1443)
• c073629 Improve slice bound check (#​1442)
• 538a05c docs: add documentation for using gosec with private modules (#​1441)
• 2580437 chore(deps): update all dependencies (#​1440)
• 872b331 docs: add G116 rule description to README (#​1439)
• dcf93a8 Update GitHub action to gosec 2.22.11 (#​1438)

---

Configuration

📅 Schedule: (in timezone Asia/Tokyo)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 34 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.24.0 -> 1.25.0
github.com/anthropics/anthropic-sdk-go	v1.19.0 -> v1.46.0
golang.org/x/oauth2	v0.34.0 -> v0.36.0
cloud.google.com/go	v0.121.2 -> v0.123.0
cloud.google.com/go/aiplatform	v1.89.0 -> v1.120.0
cloud.google.com/go/auth	v0.16.5 -> v0.19.0
cloud.google.com/go/iam	v1.5.2 -> v1.5.3
cloud.google.com/go/longrunning	v0.6.7 -> v0.8.0
github.com/buger/jsonparser	v1.1.1 -> v1.2.0
github.com/googleapis/enterprise-certificate-proxy	v0.3.6 -> v0.3.14
github.com/googleapis/gax-go/v2	v2.15.0 -> v2.22.0
github.com/gookit/color	v1.6.0 -> v1.6.1
github.com/mailru/easyjson	v0.7.7 -> v0.9.2
github.com/openai/openai-go/v3	v3.8.1 -> v3.37.0
github.com/tidwall/gjson	v1.18.0 -> v1.19.0
github.com/tidwall/match	v1.1.1 -> v1.2.0
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp	v0.61.0 -> v0.69.0
go.opentelemetry.io/otel	v1.38.0 -> v1.44.0
go.opentelemetry.io/otel/metric	v1.38.0 -> v1.44.0
go.opentelemetry.io/otel/trace	v1.38.0 -> v1.44.0
golang.org/x/crypto	v0.47.0 -> v0.52.0
golang.org/x/mod	v0.31.0 -> v0.36.0
golang.org/x/net	v0.49.0 -> v0.55.0
golang.org/x/sync	v0.19.0 -> v0.20.0
golang.org/x/sys	v0.40.0 -> v0.45.0
golang.org/x/telemetry	v0.0.0-20251203150158-8fff8a5912fc -> v0.0.0-20260508192327-42602be52be6
golang.org/x/text	v0.33.0 -> v0.37.0
golang.org/x/time	v0.12.0 -> v0.15.0
golang.org/x/tools	v0.40.0 -> v0.45.0
google.golang.org/api	v0.239.0 -> v0.274.0
google.golang.org/genai	v1.37.0 -> v1.58.0
google.golang.org/genproto	v0.0.0-20250603155806-513f23925822 -> v0.0.0-20260319201613-d00831a3d3e7
google.golang.org/genproto/googleapis/api	v0.0.0-20251029180050-ab9386a59fda -> v0.0.0-20260319201613-d00831a3d3e7
google.golang.org/genproto/googleapis/rpc	v0.0.0-20260202165425-ce8ad4cf556b -> v0.0.0-20260526163538-3dc84a4a5aaa
google.golang.org/grpc	v1.78.0 -> v1.81.1