tessl-labs/go-security-basics
Security defaults that belong in every Go HTTP server from day one — CORS, security headers, rate limiting, SQL injection prevention, input validation, secrets management, graceful shutdown, and request timeouts.
89
1.32x
Quality
83%
Does it follow best practices?
Impact
99%
1.32xAverage score across 5 eval scenarios
Securityby
Passed
No known issues
sql-injection-prevention.jsonverifiers/
{
"instruction": "Use parameterized SQL queries with $1 placeholders -- never concatenate user input into SQL strings",
"relevant_when": "Agent creates or modifies a Go HTTP server that queries a database, uses database/sql, or writes SQL queries in Go",
"context": "SQL injection is the most critical vulnerability in database-backed Go applications. Always use parameterized queries with database/sql. Use $1, $2 placeholders for PostgreSQL or ? for SQLite/MySQL. Never use fmt.Sprintf, string concatenation (+), or strings.Builder to build SQL with user input. This applies to SELECT, INSERT, UPDATE, and DELETE queries.",
"sources": [
{
"type": "file",
"filename": "skills/go-security-basics/SKILL.md",
"tile": "tessl-labs/go-security-basics@0.2.0"
}
],
"checklist": [
{
"name": "parameterized-queries",
"rule": "Agent uses parameterized queries with $1/$2 placeholders (PostgreSQL) or ? placeholders (SQLite/MySQL) for all user-supplied values in SQL queries",
"relevant_when": "Agent writes SQL queries in Go"
},
{
"name": "no-sql-string-concat",
"rule": "Agent does not use fmt.Sprintf, string concatenation (+), or any string building to insert user input into SQL query strings",
"relevant_when": "Agent writes SQL queries in Go"
},
{
"name": "context-aware-queries",
"rule": "Agent uses context-aware query methods (QueryRowContext, QueryContext, ExecContext) with r.Context() to respect request cancellation and timeouts",
"relevant_when": "Agent writes database queries in Go HTTP handlers"
}
]
}