Agent-Skills.md

Agent Skills: Golang Security Standards

Secure Go backend services against common vulnerabilities. Use when implementing input validation, crypto, or SQL injection prevention in Go. (triggers: crypto/rand, argon2, sanitize, jwt, bcrypt, validation, input validation, sql injection)

UncategorizedID: hoangnguyen0403/agent-skills-standard/golang-security

Repository

hoangnguyen0403/agent-skills-standard
HoangNguyen0403License: Apache-2.0
362103

Install this agent skill to your local

pnpm dlx add-skill https://github.com/HoangNguyen0403/agent-skills-standard/tree/HEAD/skills/golang/golang-security

Skill Files

Browse the full folder contents for golang-security.

Download Skill

Loading file tree…

skills/golang/golang-security/SKILL.md

Skill Metadata

Name
golang-security
Description
"Secure Go backend services against common vulnerabilities. Use when implementing input validation, crypto, or SQL injection prevention in Go. (triggers: crypto/rand, argon2, sanitize, jwt, bcrypt, validation, input validation, sql injection)"

Golang Security Standards

Priority: P0 (CRITICAL)

Implementation Guidelines

Input Validation

  • Validation: Use go-playground/validator or google/go-cmp for struct validation.
  • Sanitization: Sanitize user input before processing. Use bluemonday for HTML sanitization.

Cryptography

  • Random: ALWAYS use crypto/rand, NEVER math/rand for security-sensitive operations (tokens, keys, IVs).
  • Hashing: Use Argon2id for password hashing (golang.org/x/crypto/argon2). Do NOT use bcrypt (weaker) or MD5/SHA1 (insecure). Recommended params: time=1, memory=64MB, threads=4.
  • Encryption: Use crypto/aes with GCM mode for authenticated encryption.

SQL Injection Prevention

  • Parameterized Queries: ALWAYS use $1, $2 placeholders with database/sql or ORM (GORM, sqlx).
  • No String Concatenation: Never build queries with fmt.Sprintf().

Authentication

  • JWT: Use golang-jwt/jwt v5+. Enforce RS256 (preferred) or HS256. Reject none and symmetric algorithms for multi-service auth. Validate alg, iss, aud, exp claims.
  • Sessions: Use secure, httpOnly cookies with gorilla/sessions.

Secret Management

  • Environment Variables: Load secrets via godotenv or Kubernetes secrets.
  • No Hardcoding: Never commit API keys, passwords, or tokens to Git.

Anti-Patterns

  • No math/rand for Security: RNG is predictable. Use crypto/rand.
  • No fmt.Sprintf() for SQL: Causes SQL injection. Use placeholders.
  • No bcrypt or MD5 for Passwords: Use argon2id exclusively.
  • No Exposed Error Details: Don't leak stack traces to clients in production.

References