getdoorman 1.0.0

package/src/rules/security/go.js

@@ -0,0 +1,850 @@
+/**
+ * Go Security Rules (SEC-GO-001 through SEC-GO-050)
+ *
+ * Each rule scans Go source files for security vulnerabilities.
+ */
+
+const isGo = (f) => f.endsWith('.go');
+
+const SKIP_PATH = /[/\\](test|tests|__tests__|__mocks__|mocks|fixtures|__fixtures__|spec|__snapshots__|node_modules|vendor|dist|build)[/\\]/i;
+const COMMENT_LINE = /^\s*(\/\/|\/\*|\*)/;
+
+function scanLines(content, regex, file, rule) {
+  const findings = [];
+  const lines = content.split('\n');
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    if (COMMENT_LINE.test(line)) continue;
+    if (regex.test(line)) {
+      findings.push({
+        ruleId: rule.id,
+        category: rule.category,
+        severity: rule.severity,
+        title: rule.title,
+        description: rule.description,
+        confidence: rule.confidence,
+        file,
+        line: i + 1,
+        fix: rule.fix || null,
+      });
+    }
+  }
+  return findings;
+}
+
+function checkGo(rule, files, ...patterns) {
+  const findings = [];
+  for (const [path, content] of files) {
+    if (SKIP_PATH.test(path)) continue;
+    if (isGo(path)) {
+      for (const p of patterns) {
+        findings.push(...scanLines(content, p, path, rule));
+      }
+    }
+  }
+  return findings;
+}
+
+const rules = [
+  // SEC-GO-001: SQL injection via fmt.Sprintf in db.Query
+  {
+    id: 'SEC-GO-001',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'SQL Injection via fmt.Sprintf in Query',
+    description: 'Using fmt.Sprintf to build SQL queries passed to db.Query or db.Exec allows SQL injection.',
+    fix: { suggestion: 'Use parameterized queries with $1, $2 or ? placeholders instead of fmt.Sprintf.' },
+    check({ files }) {
+      return checkGo(this, files,
+        /db\.(?:Query|Exec|QueryRow)\s*\(\s*fmt\.Sprintf/,
+      );
+    },
+  },
+
+  // SEC-GO-002: SQL injection via string concatenation
+  {
+    id: 'SEC-GO-002',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'SQL Injection via String Concatenation',
+    description: 'Concatenating strings to build SQL queries allows injection attacks.',
+    fix: { suggestion: 'Use parameterized queries instead of string concatenation.' },
+    check({ files }) {
+      return checkGo(this, files,
+        /db\.(?:Query|Exec|QueryRow)\s*\(\s*["'].*["']\s*\+/,
+      );
+    },
+  },
+
+  // SEC-GO-003: Command injection via exec.Command
+  {
+    id: 'SEC-GO-003',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'Command Injection via exec.Command',
+    description: 'Passing user-controlled input to exec.Command can lead to arbitrary command execution.',
+    fix: { suggestion: 'Validate and sanitize input before passing to exec.Command. Avoid using shell execution.' },
+    check({ files }) {
+      return checkGo(this, files,
+        /exec\.Command\s*\(\s*(?:r\.|req\.|params\.|input|user|arg)/,
+      );
+    },
+  },
+
+  // SEC-GO-004: Command injection via exec.CommandContext with shell
+  {
+    id: 'SEC-GO-004',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'Command Injection via Shell Execution',
+    description: 'Using exec.Command with bash/sh -c and string interpolation enables command injection.',
+    fix: { suggestion: 'Use exec.Command with separate arguments instead of shell -c invocations.' },
+    check({ files }) {
+      return checkGo(this, files,
+        /exec\.Command(?:Context)?\s*\(\s*(?:ctx\s*,\s*)?["'](?:bash|sh|\/bin\/(?:ba)?sh)["']\s*,\s*["']-c["']/,
+      );
+    },
+  },
+
+  // SEC-GO-005: Path traversal without filepath.Clean
+  {
+    id: 'SEC-GO-005',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Path Traversal via filepath.Join Without Cleaning',
+    description: 'Using filepath.Join with user input without filepath.Clean may allow directory traversal.',
+    fix: { suggestion: 'Use filepath.Clean on user-supplied path segments and verify the result stays within the expected base directory.' },
+    check({ files }) {
+      return checkGo(this, files,
+        /filepath\.Join\s*\(\s*\w+\s*,\s*(?:r\.|req\.|params\.|c\.(?:Param|Query)|input|user)/,
+      );
+    },
+  },
+
+  // SEC-GO-006: Path traversal via os.Open with user input
+  {
+    id: 'SEC-GO-006',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Path Traversal via os.Open',
+    description: 'Opening files with unsanitized user input can allow reading arbitrary files.',
+    fix: { suggestion: 'Validate and sanitize the file path. Use filepath.Clean and verify the path prefix.' },
+    check({ files }) {
+      return checkGo(this, files,
+        /os\.(?:Open|ReadFile|Create)\s*\(\s*(?:r\.|req\.|params\.|c\.(?:Param|Query)|input|user)/,
+      );
+    },
+  },
+
+  // SEC-GO-007: SSRF via http.Get with user-controlled URL
+  {
+    id: 'SEC-GO-007',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'SSRF via http.Get with User-Controlled URL',
+    description: 'Passing user input directly to http.Get allows Server-Side Request Forgery.',
+    fix: { suggestion: 'Validate and whitelist allowed URLs/domains before making HTTP requests.' },
+    check({ files }) {
+      return checkGo(this, files,
+        /http\.(?:Get|Post|Head)\s*\(\s*(?:r\.|req\.|params\.|c\.(?:Param|Query)|input|user|fmt\.Sprintf)/,
+      );
+    },
+  },
+
+  // SEC-GO-008: SSRF via http.NewRequest with user URL
+  {
+    id: 'SEC-GO-008',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'SSRF via http.NewRequest with User URL',
+    description: 'Building HTTP requests with user-supplied URLs allows SSRF attacks.',
+    fix: { suggestion: 'Validate user-provided URLs against an allowlist of trusted hosts.' },
+    check({ files }) {
+      return checkGo(this, files,
+        /http\.NewRequest\s*\(\s*["']\w+["']\s*,\s*(?:r\.|req\.|params\.|input|user|fmt\.Sprintf)/,
+      );
+    },
+  },
+
+  // SEC-GO-009: Ignored error return with blank identifier
+  {
+    id: 'SEC-GO-009',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Ignored Error Return Value',
+    description: 'Assigning errors to the blank identifier (_) ignores potential failures that may have security implications.',
+    fix: { suggestion: 'Handle error return values explicitly. At minimum, log the error.' },
+    check({ files }) {
+      return checkGo(this, files,
+        /\b_\s*=\s*\w+\.(?:Close|Write|Read|Exec|Query|Send|Flush|Remove|Mkdir)\b/,
+      );
+    },
+  },
+
+  // SEC-GO-010: Missing error check on security-critical operations
+  {
+    id: 'SEC-GO-010',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Missing Error Check on Critical Operation',
+    description: 'Not checking errors from crypto, TLS, or auth operations can lead to security bypasses.',
+    fix: { suggestion: 'Always check and handle errors from security-critical operations.' },
+    check({ files }) {
+      return checkGo(this, files,
+        /\b_\s*=\s*(?:tls|crypto|bcrypt|jwt|auth)\.\w+/,
+      );
+    },
+  },
+
+  // SEC-GO-011: Weak crypto - MD5 usage
+  {
+    id: 'SEC-GO-011',
+    category: 'security',
+    severity: 'high',
+    confidence: 'definite',
+    title: 'Weak Cryptographic Hash: MD5',
+    description: 'MD5 is cryptographically broken and should not be used for security purposes.',
+    fix: { suggestion: 'Use SHA-256 or SHA-3 for hashing. Use bcrypt/scrypt/argon2 for password hashing.' },
+    check({ files }) {
+      return checkGo(this, files,
+        /md5\.(?:New|Sum)\s*\(/,
+      );
+    },
+  },
+
+  // SEC-GO-012: Weak crypto - SHA1 for passwords
+  {
+    id: 'SEC-GO-012',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Weak Cryptographic Hash: SHA1',
+    description: 'SHA1 is deprecated for security use and should not be used for password hashing.',
+    fix: { suggestion: 'Use bcrypt, scrypt, or argon2 for password hashing. Use SHA-256+ for integrity checks.' },
+    check({ files }) {
+      return checkGo(this, files,
+        /sha1\.(?:New|Sum)\s*\(/,
+      );
+    },
+  },
+
+  // SEC-GO-013: Weak crypto - DES usage
+  {
+    id: 'SEC-GO-013',
+    category: 'security',
+    severity: 'high',
+    confidence: 'definite',
+    title: 'Weak Encryption: DES',
+    description: 'DES has a 56-bit key and is trivially breakable with modern hardware.',
+    fix: { suggestion: 'Use AES-256 (crypto/aes) instead of DES.' },
+    check({ files }) {
+      return checkGo(this, files,
+        /des\.NewCipher\s*\(/,
+      );
+    },
+  },
+
+  // SEC-GO-014: Insecure TLS - InsecureSkipVerify
+  {
+    id: 'SEC-GO-014',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'definite',
+    title: 'Insecure TLS: Certificate Verification Disabled',
+    description: 'Setting InsecureSkipVerify to true disables TLS certificate validation, enabling MITM attacks.',
+    fix: { suggestion: 'Remove InsecureSkipVerify: true. Use proper CA certificates for verification.' },
+    check({ files }) {
+      return checkGo(this, files,
+        /InsecureSkipVerify\s*:\s*true/,
+      );
+    },
+  },
+
+  // SEC-GO-015: Insecure TLS - MinVersion too low
+  {
+    id: 'SEC-GO-015',
+    category: 'security',
+    severity: 'high',
+    confidence: 'definite',
+    title: 'Insecure TLS: Minimum Version Too Low',
+    description: 'Setting TLS MinVersion to TLS 1.0 or 1.1 allows use of deprecated protocols with known vulnerabilities.',
+    fix: { suggestion: 'Set MinVersion to tls.VersionTLS12 or tls.VersionTLS13.' },
+    check({ files }) {
+      return checkGo(this, files,
+        /MinVersion\s*:\s*tls\.Version(?:TLS10|TLS11|SSL30)/,
+      );
+    },
+  },
+
+  // SEC-GO-016: Hardcoded credentials - password
+  {
+    id: 'SEC-GO-016',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'Hardcoded Password',
+    description: 'Passwords hardcoded in source code can be extracted and used to compromise systems.',
+    fix: { suggestion: 'Use environment variables, secret managers, or configuration files excluded from version control.' },
+    check({ files }) {
+      return checkGo(this, files,
+        /(?:password|passwd|pwd)\s*(?:=|:=)\s*["'][^"']{4,}["']/i,
+      );
+    },
+  },
+
+  // SEC-GO-017: Hardcoded credentials - API key
+  {
+    id: 'SEC-GO-017',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'Hardcoded API Key',
+    description: 'API keys hardcoded in source code can be extracted from binaries or repositories.',
+    fix: { suggestion: 'Use environment variables or a secrets manager for API keys.' },
+    check({ files }) {
+      return checkGo(this, files,
+        /(?:apiKey|api_key|apiSecret|api_secret|token)\s*(?:=|:=)\s*["'][A-Za-z0-9_\-]{16,}["']/,
+      );
+    },
+  },
+
+  // SEC-GO-018: Hardcoded connection string
+  {
+    id: 'SEC-GO-018',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Hardcoded Database Connection String',
+    description: 'Database connection strings with credentials hardcoded in source code risk exposure.',
+    fix: { suggestion: 'Use environment variables for database connection strings.' },
+    check({ files }) {
+      return checkGo(this, files,
+        /(?:=|:=)\s*["'](?:postgres|mysql|mongodb|redis):\/\/\w+:\w+@/,
+      );
+    },
+  },
+
+  // SEC-GO-019: Race condition - shared variable without mutex
+  {
+    id: 'SEC-GO-019',
+    category: 'security',
+    severity: 'high',
+    confidence: 'suggestion',
+    title: 'Potential Race Condition: Global Variable Modified in Goroutine',
+    description: 'Modifying shared state inside a goroutine without proper synchronization leads to race conditions.',
+    fix: { suggestion: 'Use sync.Mutex, sync.RWMutex, or channels to protect shared state.' },
+    check({ files }) {
+      return checkGo(this, files,
+        /go\s+func\s*\([^)]*\)\s*\{[^}]*(?:counter|count|total|sum|shared|global)\s*(?:\+\+|\-\-|\+=|\-=|=)/,
+      );
+    },
+  },
+
+  // SEC-GO-020: Race condition - map access without sync
+  {
+    id: 'SEC-GO-020',
+    category: 'security',
+    severity: 'high',
+    confidence: 'suggestion',
+    title: 'Potential Race Condition: Concurrent Map Access',
+    description: 'Go maps are not safe for concurrent access. Use sync.Map or protect with mutex.',
+    fix: { suggestion: 'Use sync.Map or protect map access with sync.RWMutex.' },
+    check({ files }) {
+      return checkGo(this, files,
+        /go\s+func\s*\([^)]*\)\s*\{[^}]*\w+\[\w+\]\s*=/,
+      );
+    },
+  },
+
+  // SEC-GO-021: Template injection via template.HTML
+  {
+    id: 'SEC-GO-021',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Template Injection via template.HTML',
+    description: 'Using template.HTML() with user input bypasses Go template auto-escaping, enabling XSS.',
+    fix: { suggestion: 'Avoid template.HTML with user-controlled data. Let the template engine auto-escape output.' },
+    check({ files }) {
+      return checkGo(this, files,
+        /template\.HTML\s*\(\s*(?:r\.|req\.|params\.|c\.(?:Param|Query)|input|user)/,
+      );
+    },
+  },
+
+  // SEC-GO-022: Template injection via template.JS
+  {
+    id: 'SEC-GO-022',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Template Injection via template.JS',
+    description: 'Using template.JS() with user input bypasses auto-escaping in JavaScript contexts.',
+    fix: { suggestion: 'Do not pass user input to template.JS. Use proper escaping.' },
+    check({ files }) {
+      return checkGo(this, files,
+        /template\.JS\s*\(\s*(?:r\.|req\.|params\.|c\.(?:Param|Query)|input|user)/,
+      );
+    },
+  },
+
+  // SEC-GO-023: Missing input validation in Gin handler
+  {
+    id: 'SEC-GO-023',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'suggestion',
+    title: 'Missing Input Validation in Gin Handler',
+    description: 'Gin handler uses c.Param or c.Query without validation or binding.',
+    fix: { suggestion: 'Use ShouldBindJSON, ShouldBindQuery, or validate input with go-playground/validator.' },
+    check({ files }) {
+      return checkGo(this, files,
+        /c\.(?:Param|Query|PostForm)\s*\(\s*["']\w+["']\s*\)/,
+      );
+    },
+  },
+
+  // SEC-GO-024: Missing input validation in Echo handler
+  {
+    id: 'SEC-GO-024',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'suggestion',
+    title: 'Missing Input Validation in Echo Handler',
+    description: 'Echo handler uses c.Param or c.QueryParam without validation.',
+    fix: { suggestion: 'Use echo.Bind with validation tags or validate input manually.' },
+    check({ files }) {
+      return checkGo(this, files,
+        /c\.(?:QueryParam|FormValue)\s*\(\s*["']\w+["']\s*\)/,
+      );
+    },
+  },
+
+  // SEC-GO-025: CORS wildcard origin
+  {
+    id: 'SEC-GO-025',
+    category: 'security',
+    severity: 'high',
+    confidence: 'definite',
+    title: 'CORS Wildcard Origin',
+    description: 'Setting Access-Control-Allow-Origin to "*" allows any website to make cross-origin requests.',
+    fix: { suggestion: 'Specify allowed origins explicitly instead of using a wildcard.' },
+    check({ files }) {
+      return checkGo(this, files,
+        /(?:Access-Control-Allow-Origin|AllowOrigins).*["']\*["']/,
+      );
+    },
+  },
+
+  // SEC-GO-026: CORS allow credentials with wildcard
+  {
+    id: 'SEC-GO-026',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'definite',
+    title: 'CORS Allow Credentials with Wildcard Origin',
+    description: 'Allowing credentials with wildcard origin is a severe misconfiguration enabling credential theft.',
+    fix: { suggestion: 'Never use AllowCredentials with wildcard AllowOrigins.' },
+    check({ files }) {
+      return checkGo(this, files,
+        /AllowCredentials\s*:\s*true/,
+      );
+    },
+  },
+
+  // SEC-GO-027: JWT parsing without validation
+  {
+    id: 'SEC-GO-027',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'JWT Parsing Without Proper Validation',
+    description: 'Using jwt.Parse without specifying valid signing methods allows algorithm substitution attacks.',
+    fix: { suggestion: 'Use jwt.ParseWithClaims and specify the expected signing method in the key function.' },
+    check({ files }) {
+      return checkGo(this, files,
+        /jwt\.Parse\s*\(\s*\w+\s*,\s*func/,
+      );
+    },
+  },
+
+  // SEC-GO-028: JWT none algorithm acceptance
+  {
+    id: 'SEC-GO-028',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'definite',
+    title: 'JWT None Algorithm Accepted',
+    description: 'Not validating the JWT signing method allows attackers to use the "none" algorithm to forge tokens.',
+    fix: { suggestion: 'Always verify the signing method in the key function: if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok { ... }' },
+    check({ files }) {
+      return checkGo(this, files,
+        /jwt\.UnsafeAllowNoneSignatureType/,
+      );
+    },
+  },
+
+  // SEC-GO-029: Goroutine leak - missing context cancellation
+  {
+    id: 'SEC-GO-029',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'suggestion',
+    title: 'Goroutine Leak: Missing Context Cancellation',
+    description: 'Starting goroutines without context cancellation or timeout can cause resource exhaustion.',
+    fix: { suggestion: 'Use context.WithCancel or context.WithTimeout and pass the context to goroutines.' },
+    check({ files }) {
+      return checkGo(this, files,
+        /go\s+func\s*\(\s*\)\s*\{/,
+      );
+    },
+  },
+
+  // SEC-GO-030: Goroutine leak - no WaitGroup or channel
+  {
+    id: 'SEC-GO-030',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'suggestion',
+    title: 'Goroutine Without Lifecycle Management',
+    description: 'Goroutines started without WaitGroup, context, or done channel may leak on shutdown.',
+    fix: { suggestion: 'Use sync.WaitGroup or a done channel to manage goroutine lifecycle.' },
+    check({ files }) {
+      return checkGo(this, files,
+        /go\s+\w+\s*\([^)]*\)\s*$/,
+      );
+    },
+  },
+
+  // SEC-GO-031: Deferred Close without error check
+  {
+    id: 'SEC-GO-031',
+    category: 'security',
+    severity: 'low',
+    confidence: 'suggestion',
+    title: 'Deferred Close Without Error Check',
+    description: 'Using defer file.Close() without checking the error may silently lose data on write failures.',
+    fix: { suggestion: 'Use a named return and check the error: defer func() { err = f.Close() }()' },
+    check({ files }) {
+      return checkGo(this, files,
+        /defer\s+\w+\.Close\s*\(\s*\)/,
+      );
+    },
+  },
+
+  // SEC-GO-032: Deferred Unlock ordering issue
+  {
+    id: 'SEC-GO-032',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'suggestion',
+    title: 'Deferred Unlock May Cause Extended Lock Hold',
+    description: 'Deferring mutex unlock at function start can hold locks longer than necessary.',
+    fix: { suggestion: 'Consider explicit unlock after the critical section instead of defer.' },
+    check({ files }) {
+      return checkGo(this, files,
+        /defer\s+\w+\.(?:RUnlock|Unlock)\s*\(\s*\)/,
+      );
+    },
+  },
+
+  // SEC-GO-033: Listening on 0.0.0.0
+  {
+    id: 'SEC-GO-033',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Server Listening on All Interfaces',
+    description: 'Binding to 0.0.0.0 exposes the service to all network interfaces, increasing attack surface.',
+    fix: { suggestion: 'Bind to 127.0.0.1 for local-only access, or use specific interface addresses.' },
+    check({ files }) {
+      return checkGo(this, files,
+        /net\.Listen\s*\(\s*["']\w+["']\s*,\s*["']0\.0\.0\.0:/,
+      );
+    },
+  },
+
+  // SEC-GO-034: HTTP server on 0.0.0.0
+  {
+    id: 'SEC-GO-034',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'HTTP Server Listening on All Interfaces',
+    description: 'ListenAndServe on 0.0.0.0 or :port exposes the server on all network interfaces.',
+    fix: { suggestion: 'Specify the bind address explicitly, e.g., 127.0.0.1:8080.' },
+    check({ files }) {
+      return checkGo(this, files,
+        /http\.ListenAndServe\s*\(\s*["']:?\d+["']/,
+      );
+    },
+  },
+
+  // SEC-GO-035: Unsafe pointer usage
+  {
+    id: 'SEC-GO-035',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Unsafe Pointer Usage',
+    description: 'Using unsafe.Pointer bypasses Go type safety and can lead to memory corruption.',
+    fix: { suggestion: 'Avoid unsafe.Pointer unless absolutely necessary. Document the safety invariants.' },
+    check({ files }) {
+      return checkGo(this, files,
+        /unsafe\.Pointer\s*\(/,
+      );
+    },
+  },
+
+  // SEC-GO-036: Unsafe Sizeof/Offsetof
+  {
+    id: 'SEC-GO-036',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'suggestion',
+    title: 'Unsafe Package Usage',
+    description: 'Using the unsafe package circumvents Go memory safety guarantees.',
+    fix: { suggestion: 'Minimize unsafe usage. Consider safe alternatives using reflect or encoding/binary.' },
+    check({ files }) {
+      return checkGo(this, files,
+        /unsafe\.(?:Sizeof|Offsetof|Alignof)\s*\(/,
+      );
+    },
+  },
+
+  // SEC-GO-037: CGo - import "C" usage
+  {
+    id: 'SEC-GO-037',
+    category: 'security',
+    severity: 'high',
+    confidence: 'suggestion',
+    title: 'CGo Usage May Introduce Memory Safety Issues',
+    description: 'CGo imports C code that lacks Go memory safety, potentially introducing buffer overflows and other C vulnerabilities.',
+    fix: { suggestion: 'Minimize CGo usage. Validate all inputs passed to C functions. Consider pure Go alternatives.' },
+    check({ files }) {
+      return checkGo(this, files,
+        /import\s+"C"/,
+      );
+    },
+  },
+
+  // SEC-GO-038: CGo - C.CString without C.free
+  {
+    id: 'SEC-GO-038',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'CGo Memory Leak: CString Without Free',
+    description: 'C.CString allocates C memory that must be freed with C.free to prevent memory leaks.',
+    fix: { suggestion: 'Always pair C.CString with defer C.free(unsafe.Pointer(cstr)).' },
+    check({ files }) {
+      return checkGo(this, files,
+        /C\.CString\s*\(/,
+      );
+    },
+  },
+
+  // SEC-GO-039: Unvalidated redirect
+  {
+    id: 'SEC-GO-039',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Open Redirect',
+    description: 'Redirecting to a user-supplied URL without validation enables phishing attacks.',
+    fix: { suggestion: 'Validate redirect URLs against an allowlist of trusted domains.' },
+    check({ files }) {
+      return checkGo(this, files,
+        /http\.Redirect\s*\(\s*\w+\s*,\s*\w+\s*,\s*(?:r\.|req\.|c\.(?:Param|Query)|input|user)/,
+      );
+    },
+  },
+
+  // SEC-GO-040: Weak random for security
+  {
+    id: 'SEC-GO-040',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Insecure Random Number Generator',
+    description: 'math/rand is not cryptographically secure and should not be used for security-sensitive operations.',
+    fix: { suggestion: 'Use crypto/rand for generating tokens, keys, and other security-sensitive values.' },
+    check({ files }) {
+      return checkGo(this, files,
+        /math\/rand/,
+      );
+    },
+  },
+
+  // SEC-GO-041: Missing CSRF protection
+  {
+    id: 'SEC-GO-041',
+    category: 'security',
+    severity: 'high',
+    confidence: 'suggestion',
+    title: 'Missing CSRF Protection',
+    description: 'POST/PUT/DELETE handlers without CSRF token validation are vulnerable to cross-site request forgery.',
+    fix: { suggestion: 'Use gorilla/csrf or a similar CSRF middleware.' },
+    check({ files }) {
+      return checkGo(this, files,
+        /\.(?:POST|PUT|DELETE|PATCH)\s*\(\s*["']/,
+      );
+    },
+  },
+
+  // SEC-GO-042: Cookie without Secure flag
+  {
+    id: 'SEC-GO-042',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Cookie Without Secure Flag',
+    description: 'Cookies without the Secure flag can be sent over unencrypted HTTP connections.',
+    fix: { suggestion: 'Set Secure: true on cookies, especially session cookies.' },
+    check({ files }) {
+      return checkGo(this, files,
+        /http\.Cookie\s*\{[^}]*Secure\s*:\s*false/,
+      );
+    },
+  },
+
+  // SEC-GO-043: Cookie without HttpOnly flag
+  {
+    id: 'SEC-GO-043',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Cookie Without HttpOnly Flag',
+    description: 'Cookies without HttpOnly can be accessed by JavaScript, increasing XSS impact.',
+    fix: { suggestion: 'Set HttpOnly: true on session and authentication cookies.' },
+    check({ files }) {
+      return checkGo(this, files,
+        /http\.Cookie\s*\{[^}]*HttpOnly\s*:\s*false/,
+      );
+    },
+  },
+
+  // SEC-GO-044: SQL injection in GORM raw query
+  {
+    id: 'SEC-GO-044',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'SQL Injection in GORM Raw Query',
+    description: 'Using db.Raw with fmt.Sprintf allows SQL injection through GORM.',
+    fix: { suggestion: 'Use db.Raw with ? placeholders and pass values as additional arguments.' },
+    check({ files }) {
+      return checkGo(this, files,
+        /db\.Raw\s*\(\s*fmt\.Sprintf/,
+      );
+    },
+  },
+
+  // SEC-GO-045: Logging sensitive data
+  {
+    id: 'SEC-GO-045',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Sensitive Data in Log Output',
+    description: 'Logging passwords, tokens, or keys can expose sensitive data in log files.',
+    fix: { suggestion: 'Redact sensitive fields before logging. Use structured logging with field filtering.' },
+    check({ files }) {
+      return checkGo(this, files,
+        /log\.(?:Print|Fatal|Panic|Info|Debug|Warn|Error)(?:f|ln)?\s*\([^)]*(?:password|token|secret|key|credential)/i,
+      );
+    },
+  },
+
+  // SEC-GO-046: Uncontrolled resource consumption - no timeout
+  {
+    id: 'SEC-GO-046',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'suggestion',
+    title: 'HTTP Server Without Timeouts',
+    description: 'HTTP server without read/write timeouts is vulnerable to slowloris and resource exhaustion attacks.',
+    fix: { suggestion: 'Set ReadTimeout, WriteTimeout, and IdleTimeout on http.Server.' },
+    check({ files }) {
+      return checkGo(this, files,
+        /&http\.Server\s*\{[^}]*(?:Addr|Handler)[^}]*\}/,
+      );
+    },
+  },
+
+  // SEC-GO-047: Eval-like dynamic code execution
+  {
+    id: 'SEC-GO-047',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Dynamic Code via Plugin Loading',
+    description: 'Loading plugins dynamically from user-controlled paths can execute arbitrary code.',
+    fix: { suggestion: 'Validate plugin paths against an allowlist. Sign plugins and verify signatures.' },
+    check({ files }) {
+      return checkGo(this, files,
+        /plugin\.Open\s*\(\s*(?:r\.|req\.|params\.|input|user)/,
+      );
+    },
+  },
+
+  // SEC-GO-048: Embedded credentials in struct tags
+  {
+    id: 'SEC-GO-048',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'suggestion',
+    title: 'Sensitive Field Without JSON Omit',
+    description: 'Struct fields containing passwords or secrets without json:"-" may be serialized in API responses.',
+    fix: { suggestion: 'Add `json:"-"` tag to sensitive fields to exclude them from JSON serialization.' },
+    check({ files }) {
+      return checkGo(this, files,
+        /(?:Password|Secret|Token|Key)\s+string\s+`json:"(?!-)(?:\w+)"/i,
+      );
+    },
+  },
+
+  // SEC-GO-049: Missing rate limiting
+  {
+    id: 'SEC-GO-049',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'suggestion',
+    title: 'Missing Rate Limiting on HTTP Handler',
+    description: 'HTTP handlers without rate limiting are vulnerable to brute force and denial of service attacks.',
+    fix: { suggestion: 'Use golang.org/x/time/rate or a middleware like tollbooth for rate limiting.' },
+    check({ files }) {
+      return checkGo(this, files,
+        /func\s+\w+\s*\(\s*w\s+http\.ResponseWriter\s*,\s*r\s+\*http\.Request\s*\)/,
+      );
+    },
+  },
+
+  // SEC-GO-050: XML external entity injection
+  {
+    id: 'SEC-GO-050',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'XML External Entity (XXE) Processing',
+    description: 'Using xml.NewDecoder without disabling external entities may allow XXE attacks.',
+    fix: { suggestion: 'Use xml.NewDecoder with a custom entity resolver or consider JSON for untrusted input.' },
+    check({ files }) {
+      return checkGo(this, files,
+        /xml\.NewDecoder\s*\(\s*(?:r\.|req\.|c\.Request)/,
+      );
+    },
+  },
+];
+
+export default rules;