Top 23 Go Security Projects
Fast, multi-platform web server with automatic HTTPSProject mention: Caddy – The Ultimate Server with Automatic HTTPS | news.ycombinator.com | 2021-11-29
In my eyes, Caddy is a lovely web server that works pretty well as ingress for container clusters (e.g. Nomad, Docker Swarm etc.). That said, i can't help but to feel that v1 was easier and in some ways nicer to use than v2, even though it's abandoned at this point.
That said, i have certain grievances with most of the web servers out there.
Apache2/httpd - actually decently usable even nowadays, but if the fragmentation of service names (httpd vs apache2, with additional scripts like a2enmod) between different distros doesn't hurt it, then the configuration format and how it does reverse proxying and path rewriting most certainly will. The performance is still passable, no matter what anyone says, my applications still have been the bottleneck in approx. 95% of the cases, though that might change with frameworks like Vert.X or such. The further down you scroll, the less user friendly it becomes: https://httpd.apache.org/docs/2.4/rewrite/remapping.html
Nginx - recently migrated my ingress to it at work, seems pretty okay so far, the configuration format seems to make a bit more sense and probably lies somewhere between Apache and Caddy as far as its ease of use and pleasantness goes. I no longer even need rewrite rules to get websockets working properly, which is nice. And my containers can have all of the necessary config in a single file vs the unnecessary boilerplate fragmentation that httpd forces upon me. For example, both of these seem more passable to me when compared to Apache2: https://docs.nginx.com/nginx/admin-guide/web-server/reverse-... and https://www.nginx.com/blog/creating-nginx-rewrite-rules/
Currently, my biggest gripe is that Nginx kills itself when it cannot resolve an upstream host, for example, while Docker containers are still starting, their health checks haven't passed and therefore their DNS records also haven't been created: https://stackoverflow.com/questions/42720618/docker-nginx-st... The worst part is that none of the suggested answers actually work for me, so i can't have a single Nginx instance be in front of the development environment with about 20 containers, a few of those being down when Nginx is being restarted will not let many of them be used until the startup finishes. Unacceptable.
Caddy - as stated before, i liked v1 more than v2, though the project itself is pretty close to as good as a web server might get. What i don't enjoy is them taking the old docs offline, merely letting you download an archive, nor am i a fan of the current docs, since at the current point in time they are a bit like running "tar --usage": https://caddyserver.com/docs/caddyfile/directives/reverse_pr...
It's nice that there are a few examples for the common use cases, but there probably could be even more, just look at what the PHP documentation has at the bottom for a good example: https://www.php.net/manual/en/function.str-replace.php (crowd sourced, but i like the idea of letting the community contribute useful information like that).
Apart from that, some of the behavior is weird and you will get a 200 when you'd expect to get a 502/404 in most other web servers: https://caddy.community/t/why-does-caddy-return-an-empty-200... which will sometimes be misleading ("Huh, i'm not getting any data in the response to my request, even though the status is 200 in my log, weird...")
Also, i remember when v1 had this "fail-fast" habit of shutting down the entire server when renewing/obtaining a certificate failed, something that i utterly hate when web servers do: https://github.com/caddyserver/caddy/issues/642 Admittedly, things are a bit better now: https://caddyserver.com/docs/automatic-https#errors I just don't understand why web servers can be so opinionated about these things and not provide something like "failure_action" in Docker Compose (https://docs.docker.com/compose/compose-file/compose-file-v3...) so that people can choose between either stopping everything as soon as problems manifest, or continuing with a "best effort" strategy.
If i'm hosting 100 sites behind a reverse proxy, i don't want 99 to be taken down just because 1 of them was misconfigured, the web server should be able to throw out a warning about that one host if i tell it to, and proceed to run the rest 99 as instructed. When no web server forces me to cope with such brittleness will be a good day.
OpenID Certified™ OpenID Connect and OAuth Provider written in Go - cloud native, security-first, open source API security for your infrastructure. SDKs for any language. Compatible with MITREid.Project mention: Simple OpenID Connect (OIDC) Provider? | reddit.com/r/selfhosted | 2021-10-23
Scout APM: A developer's best friend. Try free for 14-days. Scout APM uses tracing logic that ties bottlenecks to source code so you know the exact line of code causing performance issues and can get back to building a great product faster.
DockerSlim (docker-slim): Don't change anything in your Docker container image and minify it by up to 30x (and for compiled languages even more) making it secure too! (free and open source)Project mention: Is a 25MB hard size limit on K8s container image size reasonable? | reddit.com/r/kubernetes | 2021-11-25
That's incredibly small. I don't know how you'll be able to do this for your projects without heavily leveraging docker-slim: https://github.com/docker-slim/docker-slim
The Single Sign-On Multi-Factor portal for web appsProject mention: Looking for reliable open-source 2FA self hosted server | reddit.com/r/sysadmin | 2021-11-18
The Swiss Army knife for 802.11, BLE, IPv4 and IPv6 networks reconnaissance and MITM attacks.Project mention: TCP Traffic tunneln/weiterleiten zur Analyse | reddit.com/r/de_EDV | 2021-11-24
Certificate authority and access plane for SSH, Kubernetes, web applications, and databasesProject mention: Need help in SSH Login Monitoring and Terminal Commands Monitoring inside the VM | reddit.com/r/Proxmox | 2021-11-26
eBPF-based Networking, Security, and ObservabilityProject mention: Container security best practices: Ultimate guide | news.ycombinator.com | 2021-10-13
Run Linux Software Faster and Safer than Linux with Unikernels.
Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issuesProject mention: trivy: Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues | reddit.com/r/CKsTechNews | 2021-11-10
A simple, modern and secure encryption tool (and Go library) with small explicit keys, no config options, and UNIX-style composability.Project mention: Teen caught in $46M dollar Bitcoin theft via buying a username | news.ycombinator.com | 2021-11-24
There's no consensus because there's no best answer. Here's an example of what you could do.
Generate a new seed phrase on a hardware wallet. Encrypt the seed phrase using https://github.com/FiloSottile/age with a symmetric password and print out the encrypted seed. Store the paper in a safety deposit box.
Write down the encryption password and the hardware PIN in an envelope to be opened in the event of your death.
All that said, this particular example is vulnerable in that you could be held at gunpoint and lose everything. So next we start talking about cold vs hot storage...
Simple and flexible tool for managing secretsProject mention: It's Now Possible to Sign Arbitrary Data with Your SSH Keys | news.ycombinator.com | 2021-11-13
Yes it is, and they are awesome. git-crypt is a godsend for smaller projects (and maybe larger ones if permissions are granular enough) -- way simpler than sops and other alternative, with native integration via git filters (smudge). I use it on a ton of projects.
Scan git repos (or files) for secrets using regex and entropy 🔑Project mention: Question about secrets inside git repositories and how to deal with them | reddit.com/r/devops | 2021-08-02
We use a self hosted Gitlab instance where we turned on the option to atleast detect .key files from commits. Another thing we do is we scan all our repositories using Gitleaks. It's fairly simple and works pretty well. Generates a text file report that will show you where a secret has been committed and by whom.
Open-Source Phishing ToolkitProject mention: Awesome Penetration Testing | dev.to | 2021-10-06
Gophish - Open-source phishing framework.
Safely store secrets in Git/Mercurial/SubversionProject mention: Quick Ansible Vault question | reddit.com/r/ansible | 2021-09-13
Golang security checkerProject mention: Container security best practices: Comprehensive guide | dev.to | 2021-11-16
For application code, there are different SAST (Static Application Security Testing) tools like sonarqube, which provide vulnerability scanners for different languages, gosec for analyzing go code and detecting issues based on rules, linters, etc.
Manage your dotfiles across multiple diverse machines, securely.Project mention: Chezmoi: Manage your dotfiles across multiple diverse machines, securely | news.ycombinator.com | 2021-11-21
Let's Encrypt client and ACME library written in GoProject mention: My ISP blocks port 80? | reddit.com/r/homelab | 2021-11-23
lego is a commonly used library supporting most providers (close to 100). Apart from certbot, most auto-cert-provisioning functionality is using it as a library but it can also be run as a standalone.
Kubescape is the first open-source tool for testing if Kubernetes is deployed securely according to multiple frameworks: regulatory, customized company policies and DevSecOps best practices, such as the NSA-CISA and the MITRE ATT&CK®.Project mention: Are you scanning your Kubernetes cluster with Kubescape? What are your thoughts? | reddit.com/r/kubernetes | 2021-11-28
Are you using Kubescape for testing if your Kubernetes cluster is deployed securely according to multiple frameworks?
An Efficient Enterprise-class Container EngineProject mention: Ask HN: Any Good Alternative for Docker? | news.ycombinator.com | 2021-08-31
A Tool for Domain FlyoversProject mention: Awesome Penetration Testing | dev.to | 2021-10-06
AQUATONE - Subdomain discovery tool utilizing various open sources producing a report that can be used as input to other tools.
CrowdSec - the open-source and participative IPS able to analyze visitor behavior & provide an adapted response to all kinds of attacks. It also leverages the crowd power to generate a global CTI database to protect the user network.Project mention: Simply Sunday | reddit.com/r/selfhosted | 2021-11-28
I would advise you to take a look at CrowdSec; a modern version of fail2ban using crowdsourced threat intelligence in the sense that all users share information about attacks thereby protecting each other. It protects ssh and nginx (I am guessing it might be what you use as reverse proxy) and much more and is capable of protecting it both on network- and application layer, e.g. directly in nginx.. All parts of the software is communicating via http(s) rest api so you would need only one agent talking to bouncers and mitigating attacks via bouncers on whichever VM.
Automatic HTTPS for any Go program: fully-managed TLS certificate issuance and renewalProject mention: Which web framework is more preferred or "industry standard" today? | reddit.com/r/golang | 2021-10-17
That said, I would use https://github.com/caddyserver/certmagic to manage you SSL certs.
🛡️ A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH.Project mention: Let's Encrypt for internal sites/apps | reddit.com/r/sysadmin | 2021-10-04
I recommend https://smallstep.com/certificates/ everything you need to deploy and internal CA.
Security scanner for your Terraform codeProject mention: Container security best practices: Comprehensive guide | dev.to | 2021-11-16
If you are using infrastructure as code, incorporate IaC scanning tools like Apolicy, Checkov, tfsec, or cfn_nag to validate the configuration of your infrastructure before it is created or updated. Similar to other linting tools, apply IaC scanning tools locally and in your pipeline, and consider blocking changes that introduce security issues.
Go Security related posts
Running CloudQuery in AWS Lambda
1 project | dev.to | 29 Nov 2021
Are you scanning your Kubernetes cluster with Kubescape? What are your thoughts?
4 projects | reddit.com/r/kubernetes | 28 Nov 2021
Block GET requests that aren't to my website
1 project | reddit.com/r/nginx | 26 Nov 2021
How To Setup Your CTFd Platform With HTTPS And SSL
3 projects | dev.to | 25 Nov 2021
Is a 25MB hard size limit on K8s container image size reasonable?
3 projects | reddit.com/r/kubernetes | 25 Nov 2021
My ISP blocks port 80?
3 projects | reddit.com/r/homelab | 23 Nov 2021
Even large corporate institutions like McKinsey starts endorsing open-source...
1 project | reddit.com/r/opensource | 23 Nov 2021
What are some of the best open-source Security projects in Go? This list will help you:
|3||Lean and Mean Docker containers||11,578|
Are you hiring? Post a new remote job listing for free.