CINXE.COM

Security - The Go Programming Language

<!DOCTYPE html> <html lang="en" data-theme="auto"> <head> <link rel="preconnect" href="https://www.googletagmanager.com"> <script >(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= 'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-W8MVQXG');</script> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="theme-color" content="#00add8"> <link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Material+Icons"> <link rel="stylesheet" href="/css/styles.css"> <link rel="icon" href="/images/favicon-gopher.png" sizes="any"> <link rel="apple-touch-icon" href="/images/favicon-gopher-plain.png"/> <link rel="icon" href="/images/favicon-gopher.svg" type="image/svg+xml"> <link rel="me" href="https://hachyderm.io/@golang"> <script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= 'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-W8MVQXG');</script> <script src="/js/site.js"></script> <meta name="og:url" content="https://go.dev/doc/security/"> <meta name="og:title" content="Security - The Go Programming Language"> <title>Security - The Go Programming Language</title> <meta name="og:image" content="https://go.dev/doc/gopher/gopher5logo.jpg"> <meta name="twitter:image" content="https://go.dev/doc/gopher/gopherbelly300.jpg"> <meta name="twitter:card" content="summary"> <meta name="twitter:site" content="@golang"> </head> <body class="Site"> <noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-W8MVQXG" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript> <header class="Site-header js-siteHeader"> <div class="Header Header--dark"> <nav class="Header-nav"> <a href="/"> <img class="js-headerLogo Header-logo" src="/images/go-logo-white.svg" alt="Go"> </a> <div class="skip-navigation-wrapper"> <a class="skip-to-content-link" aria-label="Skip to main content" href="#main-content"> Skip to Main Content </a> </div> <div class="Header-rightContent"> <ul class="Header-menu"> <li class="Header-menuItem "> <a href="#" class="js-desktop-menu-hover" aria-label=Why&#32;Go aria-describedby="dropdown-description"> Why Go <i class="material-icons" aria-hidden="true">arrow_drop_down</i> </a> <div class="screen-reader-only" id="dropdown-description" hidden> Press Enter to activate/deactivate dropdown </div> <ul class="Header-submenu js-desktop-submenu-hover" aria-label="submenu"> <li class="Header-submenuItem"> <div> <a href="/solutions/case-studies"> Case Studies </a> </div> <p>Common problems companies solve with Go</p> </li> <li class="Header-submenuItem"> <div> <a href="/solutions/use-cases"> Use Cases </a> </div> <p>Stories about how and why companies use Go</p> </li> <li class="Header-submenuItem"> <div> <a href="/security/"> Security </a> </div> <p>How Go can help keep you secure by default</p> </li> </ul> </li> <li class="Header-menuItem "> <a href="/learn/" aria-label=Learn aria-describedby="dropdown-description"> Learn </a> <div class="screen-reader-only" id="dropdown-description" hidden> Press Enter to activate/deactivate dropdown </div> </li> <li class="Header-menuItem Header-menuItem--active"> <a href="#" class="js-desktop-menu-hover" aria-label=Docs aria-describedby="dropdown-description"> Docs <i class="material-icons" aria-hidden="true">arrow_drop_down</i> </a> <div class="screen-reader-only" id="dropdown-description" hidden> Press Enter to activate/deactivate dropdown </div> <ul class="Header-submenu js-desktop-submenu-hover" aria-label="submenu"> <li class="Header-submenuItem"> <div> <a href="/doc/effective_go"> Effective Go </a> </div> <p>Tips for writing clear, performant, and idiomatic Go code</p> </li> <li class="Header-submenuItem"> <div> <a href="/doc"> Go User Manual </a> </div> <p>A complete introduction to building software with Go</p> </li> <li class="Header-submenuItem"> <div> <a href="https://pkg.go.dev/std"> Standard library </a> </div> <p>Reference documentation for Go&#39;s standard library</p> </li> <li class="Header-submenuItem"> <div> <a href="/doc/devel/release"> Release Notes </a> </div> <p>Learn what&#39;s new in each Go release</p> </li> </ul> </li> <li class="Header-menuItem "> <a href="https://pkg.go.dev" aria-label=Packages aria-describedby="dropdown-description"> Packages </a> <div class="screen-reader-only" id="dropdown-description" hidden> Press Enter to activate/deactivate dropdown </div> </li> <li class="Header-menuItem "> <a href="#" class="js-desktop-menu-hover" aria-label=Community aria-describedby="dropdown-description"> Community <i class="material-icons" aria-hidden="true">arrow_drop_down</i> </a> <div class="screen-reader-only" id="dropdown-description" hidden> Press Enter to activate/deactivate dropdown </div> <ul class="Header-submenu js-desktop-submenu-hover" aria-label="submenu"> <li class="Header-submenuItem"> <div> <a href="/talks/"> Recorded Talks </a> </div> <p>Videos from prior events</p> </li> <li class="Header-submenuItem"> <div> <a href="https://www.meetup.com/pro/go"> Meetups <i class="material-icons">open_in_new</i> </a> </div> <p>Meet other local Go developers</p> </li> <li class="Header-submenuItem"> <div> <a href="/wiki/Conferences"> Conferences <i class="material-icons">open_in_new</i> </a> </div> <p>Learn and network with Go developers from around the world</p> </li> <li class="Header-submenuItem"> <div> <a href="/blog"> Go blog </a> </div> <p>The Go project&#39;s official blog.</p> </li> <li class="Header-submenuItem"> <div> <a href="/help"> Go project </a> </div> <p>Get help and stay informed from Go</p> </li> <li class="Header-submenuItem"> <div> Get connected </div> <p></p> <div class="Header-socialIcons"> <a class="Header-socialIcon" aria-label="Get connected with google-groups (Opens in new window)" href="https://groups.google.com/g/golang-nuts"><img src="/images/logos/social/google-groups.svg" /></a> <a class="Header-socialIcon" aria-label="Get connected with github (Opens in new window)" href="https://github.com/golang"><img src="/images/logos/social/github.svg" /></a> <a class="Header-socialIcon" aria-label="Get connected with twitter (Opens in new window)" href="https://twitter.com/golang"><img src="/images/logos/social/twitter.svg" /></a> <a class="Header-socialIcon" aria-label="Get connected with reddit (Opens in new window)" href="https://www.reddit.com/r/golang/"><img src="/images/logos/social/reddit.svg" /></a> <a class="Header-socialIcon" aria-label="Get connected with slack (Opens in new window)" href="https://invite.slack.golangbridge.org/"><img src="/images/logos/social/slack.svg" /></a> <a class="Header-socialIcon" aria-label="Get connected with stack-overflow (Opens in new window)" href="https://stackoverflow.com/tags/go"><img src="/images/logos/social/stack-overflow.svg" /></a> </div> </li> </ul> </li> </ul> <button class="Header-navOpen js-headerMenuButton Header-navOpen--white" aria-label="Open navigation."> </button> </div> </nav> </div> </header> <aside class="NavigationDrawer js-header"> <nav class="NavigationDrawer-nav"> <div class="NavigationDrawer-header"> <a href="/"> <img class="NavigationDrawer-logo" src="/images/go-logo-blue.svg" alt="Go."> </a> </div> <ul class="NavigationDrawer-list"> <li class="NavigationDrawer-listItem js-mobile-subnav-trigger NavigationDrawer-hasSubnav"> <a href="#"><span>Why Go</span> <i class="material-icons">navigate_next</i></a> <div class="NavigationDrawer NavigationDrawer-submenuItem"> <nav class="NavigationDrawer-nav"> <div class="NavigationDrawer-header"> <a href="#"><i class="material-icons">navigate_before</i>Why Go</a> </div> <ul class="NavigationDrawer-list"> <li class="NavigationDrawer-listItem"> <a href="/solutions/case-studies"> Case Studies </a> </li> <li class="NavigationDrawer-listItem"> <a href="/solutions/use-cases"> Use Cases </a> </li> <li class="NavigationDrawer-listItem"> <a href="/security/"> Security </a> </li> </ul> </div> </div> </li> <li class="NavigationDrawer-listItem "> <a href="/learn/">Learn</a> </li> <li class="NavigationDrawer-listItem js-mobile-subnav-trigger NavigationDrawer-listItem--active NavigationDrawer-hasSubnav"> <a href="#"><span>Docs</span> <i class="material-icons">navigate_next</i></a> <div class="NavigationDrawer NavigationDrawer-submenuItem"> <nav class="NavigationDrawer-nav"> <div class="NavigationDrawer-header"> <a href="#"><i class="material-icons">navigate_before</i>Docs</a> </div> <ul class="NavigationDrawer-list"> <li class="NavigationDrawer-listItem"> <a href="/doc/effective_go"> Effective Go </a> </li> <li class="NavigationDrawer-listItem"> <a href="/doc"> Go User Manual </a> </li> <li class="NavigationDrawer-listItem"> <a href="https://pkg.go.dev/std"> Standard library </a> </li> <li class="NavigationDrawer-listItem"> <a href="/doc/devel/release"> Release Notes </a> </li> </ul> </div> </div> </li> <li class="NavigationDrawer-listItem "> <a href="https://pkg.go.dev">Packages</a> </li> <li class="NavigationDrawer-listItem js-mobile-subnav-trigger NavigationDrawer-hasSubnav"> <a href="#"><span>Community</span> <i class="material-icons">navigate_next</i></a> <div class="NavigationDrawer NavigationDrawer-submenuItem"> <nav class="NavigationDrawer-nav"> <div class="NavigationDrawer-header"> <a href="#"><i class="material-icons">navigate_before</i>Community</a> </div> <ul class="NavigationDrawer-list"> <li class="NavigationDrawer-listItem"> <a href="/talks/"> Recorded Talks </a> </li> <li class="NavigationDrawer-listItem"> <a href="https://www.meetup.com/pro/go"> Meetups <i class="material-icons">open_in_new</i> </a> </li> <li class="NavigationDrawer-listItem"> <a href="/wiki/Conferences"> Conferences <i class="material-icons">open_in_new</i> </a> </li> <li class="NavigationDrawer-listItem"> <a href="/blog"> Go blog </a> </li> <li class="NavigationDrawer-listItem"> <a href="/help"> Go project </a> </li> <li class="NavigationDrawer-listItem"> <div>Get connected</div> <div class="Header-socialIcons"> <a class="Header-socialIcon" href="https://groups.google.com/g/golang-nuts"><img src="/images/logos/social/google-groups.svg" /></a> <a class="Header-socialIcon" href="https://github.com/golang"><img src="/images/logos/social/github.svg" /></a> <a class="Header-socialIcon" href="https://twitter.com/golang"><img src="/images/logos/social/twitter.svg" /></a> <a class="Header-socialIcon" href="https://www.reddit.com/r/golang/"><img src="/images/logos/social/reddit.svg" /></a> <a class="Header-socialIcon" href="https://invite.slack.golangbridge.org/"><img src="/images/logos/social/slack.svg" /></a> <a class="Header-socialIcon" href="https://stackoverflow.com/tags/go"><img src="/images/logos/social/stack-overflow.svg" /></a> </div> </li> </ul> </div> </div> </li> </ul> </nav> </aside> <div class="NavigationDrawer-scrim js-scrim" role="presentation"></div> <main class="SiteContent SiteContent--default" id="main-content"> <article class="Article Article--doc"> <h1>Security</h1> <p>This page provides resources for Go developers to improve security for their projects.</p> <p>(See also: <a href="/security/best-practices">Security Best Practices for Go Developers</a>.)</p> <h2 id="find-and-fix-known-vulnerabilities">Find and fix known vulnerabilities</h2> <p>Go鈥檚 vulnerability detection aims to provide low-noise, reliable tools for developers to learn about known vulnerabilities that may affect their projects. For an overview, start at <a href="/security/vuln">this summary and FAQ page</a> about Go鈥檚 vulnerability management architecture. For an applied approach, explore the tools below.</p> <h3 id="scan-code-for-vulnerabilities-with-govulncheck">Scan code for vulnerabilities with govulncheck</h3> <p>Developers can use the govulncheck tool to determine whether any known vulnerabilities affect their code and prioritize next steps based on which vulnerable functions and methods are actually called.</p> <ul> <li><a href="https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck" rel="noreferrer" target="_blank">View the govulncheck documentation</a></li> <li><a href="/doc/tutorial/govulncheck">Tutorial: Get started with govulncheck</a></li> </ul> <h3 id="detect-vulnerabilities-from-your-editor">Detect vulnerabilities from your editor</h3> <p>The VS Code Go extension checks third-party dependencies and surfaces relevant vulnerabilities.</p> <ul> <li><a href="/security/vuln/editor">User documentation</a></li> <li><a href="https://marketplace.visualstudio.com/items?itemName=golang.go" rel="noreferrer" target="_blank">Download VS Code Go</a></li> <li><a href="/doc/tutorial/govulncheck-ide">Tutorial: Get started with VS Code Go</a></li> </ul> <h3 id="find-go-modules-to-build-upon">Find Go modules to build upon</h3> <p><a href="https://pkg.go.dev/" rel="noreferrer" target="_blank">Pkg.go.dev</a> is a website for discovering, evaluating and learning more about Go packages and modules. When discovering and evaluating packages on pkg.go.dev, you will <a href="https://pkg.go.dev/golang.org/x/text@v0.3.7/language" rel="noreferrer" target="_blank">see a banner on the top of a page</a> if there are vulnerabilities in that version. Additionally, you can see the <a href="https://pkg.go.dev/golang.org/x/text@v0.3.7/language?tab=versions" rel="noreferrer" target="_blank">vulnerabilities impacting each version of a package</a> on the version history page.</p> <h3 id="browse-the-vulnerability-database">Browse the vulnerability database</h3> <p>The Go vulnerability database collects data directly from Go package maintainers as well as from outside sources such as <a href="https://www.cve.org/" rel="noreferrer" target="_blank">MITRE</a> and <a href="https://github.com/" rel="noreferrer" target="_blank">GitHub</a>. Reports are curated by the Go Security team.</p> <ul> <li><a href="https://pkg.go.dev/vuln/" rel="noreferrer" target="_blank">Browse reports in the Go vulnerability database</a></li> <li><a href="/security/vuln/database">View the Go Vulnerability Database documentation</a></li> <li><a href="/s/vulndb-report-new">Contribute a public vulnerability to the database</a></li> </ul> <h2 id="report-security-bugs-in-the-go-project">Report security bugs in the Go project</h2> <h3 id="security-policysecuritypolicy"><a href="/security/policy">Security Policy</a></h3> <p>Consult the Security Policy for instructions on how to <a href="/security/policy#reporting-a-security-bug">report a vulnerability in the Go project</a>. The page also details the Go security team鈥檚 process of tracking issues and disclosing them to the public. See the <a href="/doc/devel/release">release history</a> for details about past security fixes. Per the <a href="/doc/devel/release#policy">release policy</a>, we issue security fixes to the two most recent major releases of Go.</p> <h2 id="test-unexpected-inputs-with-fuzzing">Test unexpected inputs with fuzzing</h2> <p>Go native fuzzing provides a type of automated testing which continuously manipulates inputs to a program to find bugs. Go supports fuzzing in its standard toolchain beginning in Go 1.18. Native Go fuzz tests are <a href="https://google.github.io/oss-fuzz/getting-started/new-project-guide/go-lang/#native-go-fuzzing-support" rel="noreferrer" target="_blank">supported by OSS-Fuzz</a>.</p> <ul> <li><a href="/security/fuzz">Review the basics of fuzzing</a></li> <li><a href="/doc/tutorial/fuzz">Tutorial: Get started with fuzzing</a></li> </ul> <h2 id="secure-services-with-gos-cryptography-libraries">Secure services with Go&rsquo;s cryptography libraries</h2> <p>Go鈥檚 cryptography libraries aim to help developers build secure applications. See documentation for the <a href="https://pkg.go.dev/golang.org/x/crypto" rel="noreferrer" target="_blank">crypto packages</a> and <a href="https://pkg.go.dev/golang.org/x/crypto" rel="noreferrer" target="_blank">golang.org/x/crypto/</a>.</p> </article> </main> <footer class="Site-footer"> <div class="Footer"> <div class="Container"> <div class="Footer-links"> <div class="Footer-linkColumn"> <a href="/solutions/" class="Footer-link Footer-link--primary" aria-describedby="footer-description"> Why Go </a> <a href="/solutions/use-cases" class="Footer-link" aria-describedby="footer-description"> Use Cases </a> <a href="/solutions/case-studies" class="Footer-link" aria-describedby="footer-description"> Case Studies </a> </div> <div class="Footer-linkColumn"> <a href="/learn/" class="Footer-link Footer-link--primary" aria-describedby="footer-description"> Get Started </a> <a href="/play" class="Footer-link" aria-describedby="footer-description"> Playground </a> <a href="/tour/" class="Footer-link" aria-describedby="footer-description"> Tour </a> <a href="https://stackoverflow.com/questions/tagged/go?tab=Newest" class="Footer-link" aria-describedby="footer-description"> Stack Overflow </a> <a href="/help/" class="Footer-link" aria-describedby="footer-description"> Help </a> </div> <div class="Footer-linkColumn"> <a href="https://pkg.go.dev" class="Footer-link Footer-link--primary" aria-describedby="footer-description"> Packages </a> <a href="/pkg/" class="Footer-link" aria-describedby="footer-description"> Standard Library </a> <a href="https://pkg.go.dev/about" class="Footer-link" aria-describedby="footer-description"> About Go Packages </a> </div> <div class="Footer-linkColumn"> <a href="/project" class="Footer-link Footer-link--primary" aria-describedby="footer-description"> About </a> <a href="/dl/" class="Footer-link" aria-describedby="footer-description"> Download </a> <a href="/blog/" class="Footer-link" aria-describedby="footer-description"> Blog </a> <a href="https://github.com/golang/go/issues" class="Footer-link" aria-describedby="footer-description"> Issue Tracker </a> <a href="/doc/devel/release" class="Footer-link" aria-describedby="footer-description"> Release Notes </a> <a href="/brand" class="Footer-link" aria-describedby="footer-description"> Brand Guidelines </a> <a href="/conduct" class="Footer-link" aria-describedby="footer-description"> Code of Conduct </a> </div> <div class="Footer-linkColumn"> <a href="https://www.twitter.com/golang" class="Footer-link Footer-link--primary" aria-describedby="footer-description"> Connect </a> <a href="https://www.twitter.com/golang" class="Footer-link" aria-describedby="footer-description"> Twitter </a> <a href="https://github.com/golang" class="Footer-link" aria-describedby="footer-description"> GitHub </a> <a href="https://invite.slack.golangbridge.org/" class="Footer-link" aria-describedby="footer-description"> Slack </a> <a href="https://reddit.com/r/golang" class="Footer-link" aria-describedby="footer-description"> r/golang </a> <a href="https://www.meetup.com/pro/go" class="Footer-link" aria-describedby="footer-description"> Meetup </a> <a href="https://golangweekly.com/" class="Footer-link" aria-describedby="footer-description"> Golang Weekly </a> </div> </div> </div> </div> <div class="screen-reader-only" id="footer-description" hidden> Opens in new window. </div> <div class="Footer"> <div class="Container Container--fullBleed"> <div class="Footer-bottom"> <img class="Footer-gopher" src="/images/gophers/pilot-bust.svg" alt="The Go Gopher"> <ul class="Footer-listRow"> <li class="Footer-listItem"> <a href="/copyright" aria-describedby="footer-description">Copyright</a> </li> <li class="Footer-listItem"> <a href="/tos" aria-describedby="footer-description">Terms of Service</a> </li> <li class="Footer-listItem"> <a href="http://www.google.com/intl/en/policies/privacy/" aria-describedby="footer-description" target="_blank" rel="noopener"> Privacy Policy </a> </li> <li class="Footer-listItem"> <a href="/s/website-issue" aria-describedby="footer-description" target="_blank" rel="noopener" > Report an Issue </a> </li> <li class="Footer-listItem go-Footer-listItem"> <button class="go-Button go-Button--text go-Footer-toggleTheme js-toggleTheme" aria-label="Toggle theme"> <img data-value="auto" class="go-Icon go-Icon--inverted" height="24" width="24" src="/images/icons/brightness_6_gm_grey_24dp.svg" alt="System theme"> <img data-value="dark" class="go-Icon go-Icon--inverted" height="24" width="24" src="/images/icons/brightness_2_gm_grey_24dp.svg" alt="Dark theme"> <img data-value="light" class="go-Icon go-Icon--inverted" height="24" width="24" src="/images/icons/light_mode_gm_grey_24dp.svg" alt="Light theme"> </button> </li> </ul> <a class="Footer-googleLogo" target="_blank" href="https://google.com" rel="noopener"> <img class="Footer-googleLogoImg" src="/images/google-white.png" alt="Google logo"> </a> </div> </div> </div> <script src="/js/jquery.js"></script> <script src="/js/carousels.js"></script> <script src="/js/searchBox.js"></script> <script src="/js/misc.js"></script> <script src="/js/hats.js"></script> <script src="/js/playground.js"></script> <script src="/js/godocs.js"></script> <script async src="/js/copypaste.js"></script> </footer> <section class="Cookie-notice js-cookieNotice"> <div>go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. <a target=_blank href="https://policies.google.com/technologies/cookies">Learn more.</a></div> <div><button class="go-Button">Okay</button></div> </section> </body> </html>

Pages: 1 2 3 4 5 6 7 8 9 10