go-security-vulnerability

clawhub:go-security-vulnerability

View source

92/100

First Seen

Feb 18, 2026

Last Scanned

Feb 22, 2026

Findings

Score

92/100

MEDIUM 1

LOW 1

Findings (2)

MEDIUM

Download binary or archive from URL EXTDL_016

external-download L15

Detects downloading binary, archive, or installer files from remote URLs

curl -L https://golang.org/dl/go1.21.5.linux-amd64.tar.gz

FIX

Verify the integrity of downloaded binaries or archives using SHA-256 checksums or GPG signatures. Pin download URLs to specific versions and avoid fetching from unverified sources.

FP?

Likely FP if the download is from github.com or githubusercontent.com for a specific tagged release with documented checksums.

LOW

go install from remote EXTDL_010

external-download L33

Detects go install fetching and compiling arbitrary Go packages

go install golang.org/x/vuln/cmd/govulncheck@

FIX

Pin Go install targets to a specific version (e.g., go install example.com/tool@v1.2.3). Avoid @latest as it fetches whatever is currently published.

FP?

Likely FP if the go install target is a well-known tool (e.g., golang.org/x/ packages) pinned to a specific version in documentation.