Go SDK Reference

Chi HTTP router (chi.Router and chi.Mux). Path parameters extracted via URLParam are taint sources. Chi is one of the most popular lightweight routers in the Go ecosystem.

Represents echo.Context in the Echo HTTP framework (v4). Provides typed accessors for all parts of the HTTP request. All input methods are taint sources.

Represents fiber.Ctx in the Fiber HTTP framework (v2), inspired by Express.js. Zero-allocation design. All input methods are taint sources.

Go third-party package — github.com/flosch/pongo2/v6. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Represents gorm.DB, the primary database handle in GORM v2. Raw(), Exec(), and Where() with string arguments are SQL injection sinks when called with unsanitized user input.

Go third-party package — k8s.io/client-go. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

MongoDB Go driver Collection and Client. Queries built from user input via bson.D or bson.M with string interpolation are NoSQL injection sinks. The filter argument on Find/Update/Delete operations is where tainted input lands.

pgx PostgreSQL driver. Connection and Pool types expose Query/Exec/QueryRow that accept raw SQL strings — injection sinks when the SQL is built from user input. pgx is the recommended Postgres driver for new Go projects.

archive/tar package. Reader.Next() returns headers with user-controlled filenames — Zip Slip path traversal sink when extracting to filesystem.

archive/zip package. OpenReader() and File[].Name are sources of user-controlled filenames — Zip Slip path traversal when extracting.

Go stdlib package — arena. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Go stdlib package — go/ast. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Go third-party package — github.com/aws/aws-sdk-go-v2. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Go third-party package — cloud.google.com/go. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Represents resty.Client and resty.Request from go-resty/resty v2. SetURL, Execute, Get, Post etc. are SSRF sinks when the URL comes from user-controlled input.

Go third-party package — github.com/codeskyblue/go-sh. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

google.golang.org/grpc.ServerTransportStream exposes transport-layer metadata for in-flight gRPC calls. Method() returns the fully-qualified gRPC method name — path-like and frequently user-influenced via client-supplied routing. Header/Trailer methods ship metadata back to the client.

Go third-party package — go.uber.org/zap. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Represents jwt.Token from github.com/golang-jwt/jwt v5. The Valid field and Parse function are critical — rules detect patterns where signature verification is skipped.