go-securitylisted
Install: claude install-skill hlsitechio/claude-skills-security
# Go Security Audit
Audit Go applications across stdlib `net/http`, Gin, Echo, Chi, Fiber.
## When this skill applies
- Reviewing Go HTTP handlers and middleware
- Auditing database queries (database/sql, sqlx, GORM)
- Reviewing template usage (html/template vs text/template)
- Checking goroutine safety and context propagation
- Reviewing file path handling
## Workflow
Follow `../_shared/audit-workflow.md`.
### Phase 1: Stack detection
```bash
grep -E '^module|require' go.mod | head
# Detect framework
grep -E 'github.com/(gin-gonic/gin|labstack/echo|go-chi/chi|gofiber/fiber|valyala/fasthttp)' go.mod
```
### Phase 2: Inventory
```bash
# Handlers and routes
grep -rn 'http\.HandleFunc\|r\.GET\|r\.POST\|router\.\|app\.' --include='*.go' . | head -50
# SQL queries
grep -rn 'db\.Query\|db\.QueryRow\|db\.Exec\|Prepare' --include='*.go' .
# Templates
grep -rn 'text/template\|html/template' --include='*.go' .
# File paths
grep -rn 'os\.Open\|filepath\.Join\|filepath\.Clean' --include='*.go' .
# Cryptography
grep -rn 'crypto/md5\|crypto/sha1\|crypto/des' --include='*.go' .
```
### Phase 3: Detection — the checks
#### Template injection
- **GOL-TPL-1** `html/template` used for HTML output (auto-escapes); never `text/template` for HTML (no escaping).
```go
// BAD — text/template doesn't escape HTML
import "text/template"
tmpl, _ := text.Parse("<p>{{.Name}}</p>")
// GOOD — html/template context-aware
import "html/template"
tmpl, _ := html.Parse("<p>{{.Name