fix(deps): update module github.com/securego/gosec/v2 to v2.25.0

[red-hat-konflux-kflux-prd-rh02]

Note: This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/securego/gosec/v2	v2.20.1-0.20240525090044-5f0084eb01a9 -> v2.25.0

---

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

---

Release Notes

securego/gosec (github.com/securego/gosec/v2)

v2.25.0

Compare Source

Changelog

• 223e19b chore(deps): bump google.golang.org/grpc from 1.75.0 to 1.79.3 (#​1617)
• b23a9e5 fix: allow barry action to access secrets on fork PRs (#​1616)
• 355cfa5 fix: reduce G117 false positives for custom marshalers and transformed values (#​1614) (#​1615)
• 744bfb5 Add barry security scanner as a step in the CI (#​1612)
• 4fde15d chore(deps): update all dependencies (#​1611)
• dec52c4 fix: prevent taint analysis hang on packages with many CHA call graph edges (#​1608) (#​1610)
• a0de8b6 Add some skills for claude code to automate some tasks (#​1609)
• c2dfcec Add G701-G706 rule-to-CWE mappings and CWE-117, CWE-918 entries (#​1606)
• 8aec3f4 fix: skip SSA analysis on ill-typed packages to prevent panic (#​1607)
• 1ced32d Port G120 from SSA-based to taint analysis (fixes #​1600, #​1603) (#​1605)
• befce8d fix(G118): eliminate false positive for package-level cancel variables (#​1602)
• b7b2c7b feat: add G124 rule for insecure HTTP cookie configuration (#​1599)
• 6e66a94 feat: add G709 rule for unsafe deserialization of untrusted data (#​1598)
• e7ea237 feat: add G708 rule for server-side template injection via text/template (#​1597)
• 8895462 fix(G118): eliminate false positive when cancel is called via struct field in a closure (#​1596)
• 619ce21 Fix infinite recursion in interprocedural taint analysis (#​1594)
• 0e0eb17 Fix G118 false positive when cancel is stored in returned struct field (#​1593)
• 59a9da0 Fix G118 false positive on cancel called inside goroutine closure (#​1592)
• cbf46b8 fix(analyzer): per-package rule instantiation eliminates concurrent map crash (#​1589)
• c6c3ba8 chore(deps): update all dependencies (#​1588)
• c709ed8 fix(G118): treat returned cancel func as called (fixes #​1584) (#​1585)
• fa74dd7 chore(go): update supported Go versions to 1.25.8 and 1.26.1 (#​1583)
• cd1f29e Update the README with the correct version of the Github action for gosec (#​1582)
• 5887aee chore(deps): update all dependencies (#​1579)
• 6641fcf Fix G115 false positives for guarded int64-to-byte conversions (#​1578)
• 3c9c3da Update the container image migration notice (#​1576)
• 973e94e chore(action): bump gosec to 2.24.7 (#​1575)

v2.24.7

Compare Source

Changelog

• bb17e42 Ignore nosec comments in action integration workflow to generate some warnings (#​1573)
• e1502ad Add a workflow for action integration test (#​1571)
• f8691bd fix(sarif): avoid invalid null relationships in SARIF output (#​1569)
• ade1d0e chore: migrate gosec container image references to GHCR (#​1567)

v2.24.6

Compare Source

Changelog

• 88835e8 Update gorelease to use the latest cosign bundle argument (#​1565)

v2.24.5

Compare Source

v2.24.4

Compare Source

v2.24.3

Compare Source

v2.24.2

Compare Source

v2.24.1

Compare Source

v2.24.0

Compare Source

Changelog

• 271492b fix: G704 false positive on const URL (#​1551)
• 1341aea fix(G705): eliminate false positive for non-HTTP io.Writer (#​1550)
• f2262c8 G120: avoid false positive when MaxBytesReader is applied in middleware (#​1547)
• 5b580c7 Fix G602 regression coverage for issue #​1545 and stabilize G117 TOML test dependency (#​1546)
• eba2d15 taint: skip context.Context arguments during taint propagation to fix false positives (#​1543)
• a6381c1 test: add missing rules to formatter report tests (#​1540)
• fea9725 chore(deps): update all dependencies (#​1541)
• f3e2fac Regenrate the TLS config rule (#​1539)
• 200461f Improve documentation (#​1538)
• 078a62a Expand analyzer-core test coverage for orchestration, go/analysis adapter logic, and taint integration (#​1537)
• ffdc620 Add unit tests for CLI orchestration, TLS config generation, and SSA cache behavior (#​1536)
• c13a486 Add G707 taint analyzer for SMTP command/header injection (#​1535)
• f61ed31 Add G123 analyzer for tls.VerifyPeerCertificate resumption bypass risk (#​1534)
• b568aa1 Add G122 SSA analyzer for filepath.Walk/WalkDir symlink TOCTOU race risks (#​1532)
• 1735e5a fix(G602): avoid false positives for range-over-array indexing (#​1531)
• caf93d0 Improve taint analyzer performance with shared SSA cache, parallel analyzer execution, and CI regression guard (#​1530)
• bd11fbe fix: taint analysis false positives with G703,G705 (#​1522)
• e34e8dd Extend the G117 rule to cover other types of serialization such as yaml/xml/toml (#​1529)
• b940702 Fix the G117 rule to take the JSON serialization into account (#​1528)
• 4f84627 (docs) fix justification format (#​1524)
• 36ba72b Add G121 analyzer for unsafe CORS bypass patterns in CrossOriginProtection (#​1521)
• 238f982 Add G120 SSA analyzer for unbounded form parsing in HTTP handlers (#​1520)
• 89cde27 Add G119 analyzer for unsafe redirect header propagation in CheckRedirect callbacks (#​1519)
• 14fdd9c Fix G115 false positives and negatives (Issue #​1501) (#​1518)
• cec54ec chore(deps): update all dependencies (#​1517)
• 2b2077e Add G118 SSA analyzer for context propagation failures that can cause goroutine/resource leaks (#​1516)
• a7666f3 Add G113: Detect HTTP Request Smuggling via conflicting headers (CVE-2025-22891, CWE-444) (#​1515)
• 47f8b52 Add G408: SSH PublicKeyCallback Authentication Bypass Analyzer (#​1513)
• 4f1f362 Add more unit tests to improve coverage (#​1512)
• 9344582 Improve test coverage in various areas (#​1511)
• 8d1b2c6 Imprve the test coverage (#​1510)
• 993c1c4 Fix incorrect detection of fixed iv in G407 (#​1509)
• 8668b74 Add support for go 1.26.x and removed support for go 1.24.x (#​1508)
• 514225c Fix the sonar report to follow the latest schema (#​1507)
• 000384e fix: broken taint analysis causing false positives (#​1506)
• 616192c fix: panic on float constants in overflow analyzer (#​1505)
• 79956a3 fix: panic when scanning multi-module repos from root (#​1504)
• 5736e8b fix: G602 false positive for array element access (#​1499)
• 1b7e1e9 Update gosec to version v2.23.0 in the Github action (#​1496)

v2.23.0

Compare Source

Changelog

• 398ad54 feat: Support for adding taint analysis engine (#​1486)
• 6eacd5c chore(deps): update all dependencies (#​1494)
• 181a7cb chore(deps): update all dependencies (#​1494)
• e2fa6ab chore(deps): update all dependencies (#​1488)
• eb252ba Fix G602 analyzer panic that kills gosec process (#​1491)
• 20d71a0 update go version to 1.25.7 (#​1492)
• a631af8 Fix URL regexp and remove redundant Google regex patterns (#​1485)
• 8968502 feat: implement global cache usage in rules (#​1480)
• 04f729c chore(deps): update module google.golang.org/genai to v1.43.0 (#​1484)
• ade0e8f refactor: optimize nosec parsing and reduce allocations (#​1478)
• d24bbf7 Fix SARIF artifactChanges null validation error (#​1483)
• 15cba7f feat: optimize GetCallInfo with per-package sync.Pool caching (#​1481)
• 5288673 feat: implement entropy pre-filtering to optimize secret detection (#​1479)
• d9a9bcd feat: ensure GoVersion is cached using sync.Once (#​1477)
• 516260a Fix #​1240: nosec comments now work with trailing open brackets (#​1475)
• be0fd6d Debug Build Profiling Support: Code improvement suggestions for PR#1471 (#​1476)
• b579523 Update the go version to 1.25.6 and 1.24.12 (#​1474)
• bd3c738 G115: Enhance RangeAnalyzer with constant propagation and chained arithmetic support (#​1470)
• 6897b36 chore(deps): update all dependencies (#​1473)
• 9f20212 feat: support path-based rule exclusions via exclude-rules (#​1465)
• 726d847 Optimize analyzer with parallel package processing (#​1466)
• 3150b28 feat: add goanalysis package for nogo (#​1449)
• 7284e15 Refactor Analyzers: Unify Range Logic & Optimize Allocations (#​1464)
• 7a4ccef Optimize G115, G602, G407 analyzers to reduce allocations and memory (#​1463)
• 833d791 refactor(g115): improve coverage (#​1462)
• 0cc9e01 Refine G407 to improve detection and coverage of hardcoded nonces (#​1460)
• 303f84d chore(deps): update all dependencies (#​1461)
• 7387d22 Refactor rules to use callListRule base structure (#​1458)
• 52f5dbf feat(slice): enhance slice bounds analysis with dynamic bounds handling (#​1457)
• 649e2c8 remove deprecated ast.Object (#​1455)
• 35a92b4 feat(sql): enhance SQL injection detection with improved string concatenation checks (#​1454)
• bc9d2bc feat(rules): enhance subprocess variable checks (#​1453)
• 8a5404e feat(resolve): enhance TryResolve to handle KeyValueExpr, IndexExpr, and SliceExpr (#​1452)
• 0f6f21c feat: add secrets serialization G117 (#​1451)
• 717706e feat(rules): add support for detecting high entropy strings in composite literals (#​1447)
• 082deb6 whitelist crypto/rand Read from error checks (#​1446)
• 095d529 chore(deps): update all dependencies (#​1443)
• c073629 Improve slice bound check (#​1442)
• 538a05c docs: add documentation for using gosec with private modules (#​1441)
• 2580437 chore(deps): update all dependencies (#​1440)
• 872b331 docs: add G116 rule description to README (#​1439)
• dcf93a8 Update GitHub action to gosec 2.22.11 (#​1438)

v2.22.11

Compare Source

Changelog

• 424fc4c feature: add rule for trojan source (#​1431)
• aa2e2fb feat(ai): add OpenAI and custom API provider support (#​1424)
• b6eea26 chore: Migrate from gopkg.in/yaml.v3 to go.yaml.in/yaml/v3 (#​1437)
• 41f28e2 chore(deps): update module google.golang.org/genai to v1.37.0 (#​1435)
• daccba6 refactor: simplify report functions in main.go (#​1434)
• d4be287 Update go to 1.25.5 and 1.24.11 in CI (#​1433)
• fde7515 chore(deps): update all dependencies (#​1425)
• 20c9506 feat(ai): add support for latest Claude models and update provider flags (#​1423)
• bd9e372 Bump golang.org/x/crypto from 0.43.0 to 0.45.0 (#​1427)
• 7aa7e93 chore(deps): update module golang.org/x/crypto to v0.45.0 [security] (#​1428)
• a58917f fix: correct schema with temporary placeholder (#​1418)
• 8b0d0b8 perf: skip SSA analysis if no analyzers are loaded (#​1419)
• 8a5d01a test: add sarif validation (#​1417)
• a8fefd1 chore(deps): update all dependencies (#​1421)
• c34cbbf Update go to version 1.25.4 and 1.24.10 in CI (#​1415)
• 10cf58a fix: build tag parsing. (#​1413)
• d2d7348 chore(deps): update all dependencies (#​1411)
• afa853e chore(deps): update all dependencies (#​1409)
• 6b2e6e4 chore(deps): update all dependencies (#​1408)
• 0adab9d Update gosec to version v2.22.10 in the github action (#​1405)

v2.22.10

Compare Source

Changelog

• 6be2b51 Update go to version 1.25.3 and 1.24.9 in CI (#​1404)
• fddb942 chore(deps): update all dependencies (#​1402)
• f676031 Update go to version 1.25.2 and 2.24.8 in CI (#​1401)
• 35f7ec2 chore(deps): update all dependencies (#​1399)
• 01029f0 check nil slices, partially check bounds (#​1396)
• 34db3de Remove unused target from the makefile
• f5a3b7a Use the ginkgo command install by the dependencies
• 761fcbc Keep the go module at 1.24 version for compatibility reasons
• 2238079 Remove manual test deps
• bb08aa3 fix: text must be supplied when markdown is used
• 23597d2 fix: improve error message of CheckAnalyzers
• 8d7e9d5 fix: log panic on SSA
• 0d8255e chore(deps): update all dependencies
• f9c52aa Update gosec to version v.22.9 in the github action

v2.22.9

Compare Source

Changelog

• 15d5c61 Update cosign to v2.6.0 and go in the CI to latest version
• 7b8713e fix(autofix): unnecessary conversion
• 64ebfc0 feat(autofix): update gemini sdk and add anthropic claude
• 506407e feat(G304): add os.Root remediation hint (Autofix) when Go >= 1.24
• 3ead143 chore(deps): update all dependencies
• e81fba3 refactor(G304): remove unused trackJoin helper; no functional change
• ab078db style: gofmt rules/readfile.go
• e6218c8 test(g304): add samples for var perm and var flag with cleaned path\n\n- Ensure G304 does not fire when only non-path args (flag/perm) are variables\n- Both samples use filepath.Clean on the path arg\n- Rules suite remains green (42 passed)
• 79f835d rules(G304): analyze only path arg; ignore flag/perm vars; track Clean and safe Join; fix nil-context panic\n\n- Limit G304 checks to first arg (path) for os.Open/OpenFile/ReadFile, avoiding false positives when flag/perm are variables\n- Track filepath.Clean so cleaned identifiers are treated as safe\n- Consider safe joins: filepath.Join(const|resolvedBase, Clean(var)|cleanedIdent)\n- Record Join(...) assigned to identifiers and allow if later cleaned\n- Fix panic by passing non-nil context in trackJoinAssignStmt\n- All rules tests: 42 passed
• 40ac530 rules(G202): detect SQL concat in ValueSpec declarations; add test sample\n\n- Handle var query string = 'SELECT ...' + user style declarations\n- Reuse existing binary expr detection on ValueSpec.Values\n- Add postgres sample mirroring issue #​1309 report\n- Rules tests: 42 passed
• 4be6b11 chore(deps): update all dependencies
• 5af1117 chore(deps): update all dependencies
• 287b46c chore(deps): update all dependencies
• cee0aea Update gosec version to v2.22.8 in the Github action

v2.22.8

Compare Source

Changelog

• c945302 Add support for go version 1.25.0
• ef7adab Update go version in CI to 1.24.6 and 1.23.12
• e201bb8 chore(deps): update all dependencies
• ba592af chore(deps): update all dependencies
• 2ef6017 Update github action to release v2.22.7

v2.22.7

Compare Source

Changelog

• 32975f4 Fix crash in hardcoded_nonce analyzer
• 6ea6b35 Update go action to use release v2.22.6

v2.22.6

Compare Source

Changelog

• bc3f214 Update go version to 1.24.5 and 1.23.11 in the CI
• 925741b chore(deps): update module google.golang.org/api to v0.242.0
• 59ae7e9 chore(deps): update all dependencies
• e7abd9e chore(deps): update all dependencies
• 35e7bc1 chore(deps): update all dependencies
• 2d1ed95 chore(deps): update all dependencies
• 4a8cb46 Do not allow dashes in file names
• bcc8afb Update gosec to version 2.22.5 in Github action

v2.22.5

Compare Source

Changelog

• d2d3ae6 Switch back go.mod to minimum 1.23.0
• 1e7ed06 Update dependencies
• 1bef91a Update go version 1.24.4 and 1.23.10 in CI
• 621702f chore(deps): update all dependencies
• 017d1d6 G201/G202: add checks for injection into sql.Conn methods
• 67f63d4 chore(deps): update module google.golang.org/api to v0.235.0
• b4eabb1 chore(deps): update module google.golang.org/api to v0.234.0
• 52a80ff chore(deps): update module google.golang.org/api to v0.233.0
• e2a9506 chore(deps): update module google.golang.org/api to v0.232.0

v2.22.4

Compare Source

Changelog

• 6decf96 Update to go version 1.24.3 and 1.23.9
• d522338 update: updated the build command to include version metadata
• 270b5ce chore(deps): update all dependencies
• 6027926 Update the AI provider API key value when provided as an argument
• 65d2d9f chore(deps): update module google.golang.org/api to v0.230.0
• dc1c38b chore(deps): update module google.golang.org/api to v0.229.0
• 55dbf5a chore(deps): update all dependencies
• 2aaa9c4 Comment the reason why the file can be nil when an issue is created
• 700e9a9 Handle nil file when creating a new issue
• d514c42 chore(deps): update all dependencies (#​1333)
• 1d458c5 Update version in 'action.yml' to 2.22.3 (anticipating next version (#​1332)

v2.22.3

Compare Source

Changelog

• 955a68d Update go version to 1.24.2 and 1.23.8 (#​1331)
• 1336dc6 remove G113. It only affects old/unsupported versions of Go (#​1328)
• 5fd2a37 chore(deps): update all dependencies (#​1325)
• 39e4477 Add SSOJet (#​1320)
• 6141d10 chore(deps): update all dependencies (#​1319)
• 9452efe Update the integrity sha for babel dependency in html report (#​1316)
• 57ec633 Add support for //gosec:disable directive (#​1314)
• e5fee17 chore(deps): update all dependencies (#​1315)

v2.22.2

Compare Source

Changelog

• 136f6c0 Update to go version 1.24.1 and 1.23.7 (#​1313)
• 047453a chore(deps): update all dependencies (#​1310)
• 76ccee5 chore(deps): update all dependencies (#​1308)
• a9eb1c9 Update gosec version in the GitHub action to v2.22.1 (#​1307)
• 89c5da3 chore(deps): update module google.golang.org/api to v0.221.0 (#​1305)

v2.22.1

Compare Source

Changelog

• 43fee88 Update cosign to v2.4.2 (#​1303)
• 7723829 Add support for go 1.24 and phased out support for go 1.22 (#​1302)
• 9552f03 chore(deps): update all dependencies (#​1300)
• f4d2576 Update to go version 1.23.6 and 1.22.12 (#​1299)
• 2258e31 chore(deps): update module google.golang.org/api to v0.219.0 (#​1296)
• fbb0833 chore(deps): update module google.golang.org/api to v0.218.0 (#​1294)
• c66cb56 Add test to conver unit parssing for G115 rule (#​1293)
• 59291a0 Update to go version 1.23.5 and 1.22.11 (#​1291)
• 7466b7c chore(deps): update all dependencies (#​1290)
• 32dcc8a Update gosec in github action to 2.22.0 (#​1286)

v2.22.0

Compare Source

Changelog

• e0cca6f Update what message for G104 (#​1282)
• 534689b chore(deps): update module github.com/onsi/ginkgo/v2 to v2.22.2 (#​1281)
• eb95db1 chore(deps): update all dependencies (#​1280)
• 6c6da40 chore(deps): update all dependencies (#​1279)
• b12f51f Simplify sortIssues implementation (#​1277)
• 54c2185 Enable testifylint and fix up lint issues (#​1276)
• 36c81ed Refactor AppendError to check for build.NoGoError (#​1273)
• 9a2d74f chore(deps): update module golang.org/x/net to v0.33.0 [security] (#​1275)
• 4c5ad91 Update README.md (#​1274)
• e21b4d4 Rule documentation updates (#​1272)
• 92de0ee Replace old golang.org links with new go.dev (#​1271)
• 4fda076 Refactor AppendError to use strings.Contains (#​1270)
• b01f49e Simplify Analyzer.ignore by reducing nesting (#​1269)
• b62cc33 Improve capitalization in AI API flags descriptions (#​1267)
• bc77d16 Remove unused golint dependency (#​1266)
• ef1a35f Simplify tests by using GinkgoT().TempDir() (#​1265)
• 09b9143 Documentation on adding new rules and analyzers (#​1262)
• 1bd92a8 chore(deps): update all dependencies (#​1268)
• [ca55eca](https://redirect.github.com/securego/gosec/commit/ca55eca3def12

---

Configuration

📅 Schedule: Branch creation - "every weekend" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

[red-hat-konflux-kflux-prd-rh02]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 22 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.22.0 -> 1.25.0
github.com/go-logr/logr	v1.4.2 -> v1.4.3
github.com/onsi/gomega	v1.34.1 -> v1.39.1
github.com/stretchr/testify	v1.9.0 -> v1.11.1
golang.org/x/mod	v0.21.0 -> v0.34.0
golang.org/x/net	v0.28.0 -> v0.52.0
github.com/ccojocar/zxcvbn-go	v1.0.2 -> v1.0.4
github.com/google/go-cmp	v0.6.0 -> v0.7.0
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp	v0.53.0 -> v0.61.0
go.opentelemetry.io/otel	v1.28.0 -> v1.39.0
go.opentelemetry.io/otel/metric	v1.28.0 -> v1.39.0
go.opentelemetry.io/otel/trace	v1.28.0 -> v1.39.0
golang.org/x/crypto	v0.26.0 -> v0.49.0
golang.org/x/oauth2	v0.22.0 -> v0.34.0
golang.org/x/sync	v0.8.0 -> v0.20.0
golang.org/x/sys	v0.24.0 -> v0.42.0
golang.org/x/term	v0.23.0 -> v0.41.0
golang.org/x/text	v0.17.0 -> v0.35.0
golang.org/x/time	v0.6.0 -> v0.12.0
golang.org/x/tools	v0.24.0 -> v0.43.0
google.golang.org/genproto/googleapis/rpc	v0.0.0-20240708141625-4ad9e859172b -> v0.0.0-20251202230838-ff82c1b0f217
google.golang.org/grpc	v1.65.0 -> v1.79.3
google.golang.org/protobuf	v1.34.2 -> v1.36.10

[openshift-ci]

Hi @red-hat-konflux-kflux-prd-rh02[bot]. Thanks for your PR.

I'm waiting for a github.com member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: red-hat-konflux-kflux-prd-rh02[bot]
Once this PR has been reviewed and has the lgtm label, please assign yuumasato for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[red-hat-konflux-kflux-prd-rh02]

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.