Auth & Config

Go third-party package — github.com/codeskyblue/go-sh. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

google.golang.org/grpc.ServerTransportStream exposes transport-layer metadata for in-flight gRPC calls. Method() returns the fully-qualified gRPC method name — path-like and frequently user-influenced via client-supplied routing. Header/Trailer methods ship metadata back to the client.

Go third-party package — go.uber.org/zap. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Represents jwt.Token from github.com/golang-jwt/jwt v5. The Valid field and Parse function are critical — rules detect patterns where signature verification is skipped.

Go third-party package — github.com/pelletier/go-toml/v2. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Go third-party package — github.com/sirupsen/logrus. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Go third-party package — github.com/spf13/afero. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Go third-party package — github.com/stretchr/testify. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

github.com/spf13/viper is the de-facto Go configuration library. Values returned from Get* methods are sources when the config file itself contains untrusted fields (environment, remote KV stores). Write methods that persist config back are typically neutral.

gopkg.in/yaml.v3 Decoder for YAML deserialization. Decode() hydrates arbitrary Go types from YAML input — a deserialization sink when the YAML source is user-controlled. Package-level yaml.Unmarshal has the same properties.