Name: tessl-labs/go-security-basics
Rating: 89.4 (1 reviews)
Author: tessl-labs

tessl-labs/go-security-basics

Security defaults that belong in every Go HTTP server from day one — CORS, security headers, rate limiting, SQL injection prevention, input validation, secrets management, graceful shutdown, and request timeouts.

1.32x

Quality

83%

Does it follow best practices?

Impact

99%

1.32x

Average score across 5 eval scenarios

Securityby

Passed

No known issues

{
  "context": "Tests whether the agent uses parameterized SQL queries with proper placeholders (never string concatenation), whitelists dynamic SQL values like ORDER BY columns, and reads all secrets from environment variables with fail-fast startup.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "Parameterized queries used",
      "description": "All SQL query strings use $1, $2, etc. placeholders (PostgreSQL style) or ? placeholders for all user-supplied values — not string concatenation or fmt.Sprintf",
      "max_score": 14
    },
    {
      "name": "No fmt.Sprintf in SQL",
      "description": "Does NOT use fmt.Sprintf, string concatenation (+), or strings.Builder to construct any SQL query that includes user input or variable values",
      "max_score": 10
    },
    {
      "name": "ORDER BY whitelisted",
      "description": "The sort query parameter is validated against a whitelist of allowed column names before being used in the ORDER BY clause (not directly interpolated from user input)",
      "max_score": 10
    },
    {
      "name": "Path param validated",
      "description": "The {id} path parameter is converted to an integer (e.g. strconv.Atoi) and validated to be positive before use; returns 400 on invalid input",
      "max_score": 8
    },
    {
      "name": "No hardcoded secrets",
      "description": "No passwords, connection strings, or secret keys appear as string literals in Go source files",
      "max_score": 12
    },
    {
      "name": "Secrets via os.Getenv",
      "description": "Database URL/connection string and JWT secret (or equivalent credentials) are read from environment variables using os.Getenv or equivalent",
      "max_score": 10
    },
    {
      "name": "Fail-fast on missing secrets",
      "description": "The program exits or logs a fatal error at startup if a required environment variable (e.g. DATABASE_URL, JWT_SECRET) is empty or missing",
      "max_score": 10
    },
    {
      "name": ".env.example present",
      "description": "A .env.example (or similar) file is present listing the required environment variable names",
      "max_score": 6
    },
    {
      "name": "Body field validation",
      "description": "POST and PATCH handlers validate required body fields (e.g. title must not be empty) and return 400 with a descriptive error message if validation fails",
      "max_score": 10
    },
    {
      "name": "Body size limited",
      "description": "Request body size is limited using http.MaxBytesReader (or equivalent middleware) to prevent unbounded reads",
      "max_score": 10
    }
  ]
}

tessl-labs/go-security-basics

criteria.json.css-3qkkll{font-size:var(--chakra-font-sizes-sm);font-weight:var(--chakra-font-weights-normal);color:var(--chakra-colors-gray-300);}evals/scenario-3/

criteria.jsonevals/scenario-3/