Go Security

Open-source Go projects categorized as Security | Edit details

Top 23 Go Security Projects

  • GitHub repo Caddy

    Fast, multi-platform web server with automatic HTTPS

    Project mention: Caddy – The Ultimate Server with Automatic HTTPS | news.ycombinator.com | 2021-11-29

    In my eyes, Caddy is a lovely web server that works pretty well as ingress for container clusters (e.g. Nomad, Docker Swarm etc.). That said, i can't help but to feel that v1 was easier and in some ways nicer to use than v2, even though it's abandoned at this point.

    That said, i have certain grievances with most of the web servers out there.

    Apache2/httpd - actually decently usable even nowadays, but if the fragmentation of service names (httpd vs apache2, with additional scripts like a2enmod) between different distros doesn't hurt it, then the configuration format and how it does reverse proxying and path rewriting most certainly will. The performance is still passable, no matter what anyone says, my applications still have been the bottleneck in approx. 95% of the cases, though that might change with frameworks like Vert.X or such. The further down you scroll, the less user friendly it becomes: https://httpd.apache.org/docs/2.4/rewrite/remapping.html

    Nginx - recently migrated my ingress to it at work, seems pretty okay so far, the configuration format seems to make a bit more sense and probably lies somewhere between Apache and Caddy as far as its ease of use and pleasantness goes. I no longer even need rewrite rules to get websockets working properly, which is nice. And my containers can have all of the necessary config in a single file vs the unnecessary boilerplate fragmentation that httpd forces upon me. For example, both of these seem more passable to me when compared to Apache2: https://docs.nginx.com/nginx/admin-guide/web-server/reverse-... and https://www.nginx.com/blog/creating-nginx-rewrite-rules/

    Currently, my biggest gripe is that Nginx kills itself when it cannot resolve an upstream host, for example, while Docker containers are still starting, their health checks haven't passed and therefore their DNS records also haven't been created: https://stackoverflow.com/questions/42720618/docker-nginx-st... The worst part is that none of the suggested answers actually work for me, so i can't have a single Nginx instance be in front of the development environment with about 20 containers, a few of those being down when Nginx is being restarted will not let many of them be used until the startup finishes. Unacceptable.

    Caddy - as stated before, i liked v1 more than v2, though the project itself is pretty close to as good as a web server might get. What i don't enjoy is them taking the old docs offline, merely letting you download an archive, nor am i a fan of the current docs, since at the current point in time they are a bit like running "tar --usage": https://caddyserver.com/docs/caddyfile/directives/reverse_pr...

    It's nice that there are a few examples for the common use cases, but there probably could be even more, just look at what the PHP documentation has at the bottom for a good example: https://www.php.net/manual/en/function.str-replace.php (crowd sourced, but i like the idea of letting the community contribute useful information like that).

    Apart from that, some of the behavior is weird and you will get a 200 when you'd expect to get a 502/404 in most other web servers: https://caddy.community/t/why-does-caddy-return-an-empty-200... which will sometimes be misleading ("Huh, i'm not getting any data in the response to my request, even though the status is 200 in my log, weird...")

    Also, i remember when v1 had this "fail-fast" habit of shutting down the entire server when renewing/obtaining a certificate failed, something that i utterly hate when web servers do: https://github.com/caddyserver/caddy/issues/642 Admittedly, things are a bit better now: https://caddyserver.com/docs/automatic-https#errors I just don't understand why web servers can be so opinionated about these things and not provide something like "failure_action" in Docker Compose (https://docs.docker.com/compose/compose-file/compose-file-v3...) so that people can choose between either stopping everything as soon as problems manifest, or continuing with a "best effort" strategy.

    If i'm hosting 100 sites behind a reverse proxy, i don't want 99 to be taken down just because 1 of them was misconfigured, the web server should be able to throw out a warning about that one host if i tell it to, and proceed to run the rest 99 as instructed. When no web server forces me to cope with such brittleness will be a good day.

  • GitHub repo hydra

    OpenID Certified™ OpenID Connect and OAuth Provider written in Go - cloud native, security-first, open source API security for your infrastructure. SDKs for any language. Compatible with MITREid.

    Project mention: Simple OpenID Connect (OIDC) Provider? | reddit.com/r/selfhosted | 2021-10-23
  • Scout APM

    Scout APM: A developer's best friend. Try free for 14-days. Scout APM uses tracing logic that ties bottlenecks to source code so you know the exact line of code causing performance issues and can get back to building a great product faster.

  • GitHub repo Lean and Mean Docker containers

    DockerSlim (docker-slim): Don't change anything in your Docker container image and minify it by up to 30x (and for compiled languages even more) making it secure too! (free and open source)

    Project mention: Is a 25MB hard size limit on K8s container image size reasonable? | reddit.com/r/kubernetes | 2021-11-25

    That's incredibly small. I don't know how you'll be able to do this for your projects without heavily leveraging docker-slim: https://github.com/docker-slim/docker-slim

  • GitHub repo authelia

    The Single Sign-On Multi-Factor portal for web apps

    Project mention: Looking for reliable open-source 2FA self hosted server | reddit.com/r/sysadmin | 2021-11-18
  • GitHub repo bettercap

    The Swiss Army knife for 802.11, BLE, IPv4 and IPv6 networks reconnaissance and MITM attacks.

    Project mention: TCP Traffic tunneln/weiterleiten zur Analyse | reddit.com/r/de_EDV | 2021-11-24
  • GitHub repo Gravitational Teleport

    Certificate authority and access plane for SSH, Kubernetes, web applications, and databases

    Project mention: Need help in SSH Login Monitoring and Terminal Commands Monitoring inside the VM | reddit.com/r/Proxmox | 2021-11-26
  • GitHub repo cilium

    eBPF-based Networking, Security, and Observability

    Project mention: Container security best practices: Ultimate guide | news.ycombinator.com | 2021-10-13
  • Nanos

    Run Linux Software Faster and Safer than Linux with Unikernels.

  • GitHub repo trivy

    Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues

    Project mention: trivy: Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues | reddit.com/r/CKsTechNews | 2021-11-10
  • GitHub repo age

    A simple, modern and secure encryption tool (and Go library) with small explicit keys, no config options, and UNIX-style composability.

    Project mention: Teen caught in $46M dollar Bitcoin theft via buying a username | news.ycombinator.com | 2021-11-24

    There's no consensus because there's no best answer. Here's an example of what you could do.

    Generate a new seed phrase on a hardware wallet. Encrypt the seed phrase using https://github.com/FiloSottile/age with a symmetric password and print out the encrypted seed. Store the paper in a safety deposit box.

    Write down the encryption password and the hardware PIN in an envelope to be opened in the event of your death.

    All that said, this particular example is vulnerable in that you could be held at gunpoint and lose everything. So next we start talking about cold vs hot storage...

  • GitHub repo sops

    Simple and flexible tool for managing secrets

    Project mention: It's Now Possible to Sign Arbitrary Data with Your SSH Keys | news.ycombinator.com | 2021-11-13

    Yes it is, and they are awesome. git-crypt[0] is a godsend for smaller projects (and maybe larger ones if permissions are granular enough) -- way simpler than sops[1] and other alternative, with native integration via git filters (smudge). I use it on a ton of projects.

    [0]: https://www.agwa.name/projects/git-crypt/

    [1]: https://github.com/mozilla/sops

  • GitHub repo gitleaks

    Scan git repos (or files) for secrets using regex and entropy 🔑

    Project mention: Question about secrets inside git repositories and how to deal with them | reddit.com/r/devops | 2021-08-02

    We use a self hosted Gitlab instance where we turned on the option to atleast detect .key files from commits. Another thing we do is we scan all our repositories using Gitleaks. It's fairly simple and works pretty well. Generates a text file report that will show you where a secret has been committed and by whom.

  • GitHub repo gophish

    Open-Source Phishing Toolkit

    Project mention: Awesome Penetration Testing | dev.to | 2021-10-06

    Gophish - Open-source phishing framework.

  • GitHub repo Blackbox

    Safely store secrets in Git/Mercurial/Subversion

    Project mention: Quick Ansible Vault question | reddit.com/r/ansible | 2021-09-13
  • GitHub repo gosec

    Golang security checker

    Project mention: Container security best practices: Comprehensive guide | dev.to | 2021-11-16

    For application code, there are different SAST (Static Application Security Testing) tools like sonarqube, which provide vulnerability scanners for different languages, gosec for analyzing go code and detecting issues based on rules, linters, etc.

  • GitHub repo chezmoi

    Manage your dotfiles across multiple diverse machines, securely.

    Project mention: Chezmoi: Manage your dotfiles across multiple diverse machines, securely | news.ycombinator.com | 2021-11-21
  • GitHub repo lego

    Let's Encrypt client and ACME library written in Go

    Project mention: My ISP blocks port 80? | reddit.com/r/homelab | 2021-11-23

    lego is a commonly used library supporting most providers (close to 100). Apart from certbot, most auto-cert-provisioning functionality is using it as a library but it can also be run as a standalone.

  • GitHub repo kubescape

    Kubescape is the first open-source tool for testing if Kubernetes is deployed securely according to multiple frameworks: regulatory, customized company policies and DevSecOps best practices, such as the NSA-CISA and the MITRE ATT&CK®.

    Project mention: Are you scanning your Kubernetes cluster with Kubescape? What are your thoughts? | reddit.com/r/kubernetes | 2021-11-28

    Are you using Kubescape for testing if your Kubernetes cluster is deployed securely according to multiple frameworks?

  • GitHub repo pouch

    An Efficient Enterprise-class Container Engine

    Project mention: Ask HN: Any Good Alternative for Docker? | news.ycombinator.com | 2021-08-31
  • GitHub repo aquatone

    A Tool for Domain Flyovers

    Project mention: Awesome Penetration Testing | dev.to | 2021-10-06

    AQUATONE - Subdomain discovery tool utilizing various open sources producing a report that can be used as input to other tools.

  • GitHub repo crowdsec

    CrowdSec - the open-source and participative IPS able to analyze visitor behavior & provide an adapted response to all kinds of attacks. It also leverages the crowd power to generate a global CTI database to protect the user network.

    Project mention: Simply Sunday | reddit.com/r/selfhosted | 2021-11-28

    I would advise you to take a look at CrowdSec; a modern version of fail2ban using crowdsourced threat intelligence in the sense that all users share information about attacks thereby protecting each other. It protects ssh and nginx (I am guessing it might be what you use as reverse proxy) and much more and is capable of protecting it both on network- and application layer, e.g. directly in nginx.. All parts of the software is communicating via http(s) rest api so you would need only one agent talking to bouncers and mitigating attacks via bouncers on whichever VM.

  • GitHub repo certmagic

    Automatic HTTPS for any Go program: fully-managed TLS certificate issuance and renewal

    Project mention: Which web framework is more preferred or "industry standard" today? | reddit.com/r/golang | 2021-10-17

    That said, I would use https://github.com/caddyserver/certmagic to manage you SSL certs.

  • GitHub repo certificates

    🛡️ A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH.

    Project mention: Let's Encrypt for internal sites/apps | reddit.com/r/sysadmin | 2021-10-04

    I recommend https://smallstep.com/certificates/ everything you need to deploy and internal CA.

  • GitHub repo tfsec

    Security scanner for your Terraform code

    Project mention: Container security best practices: Comprehensive guide | dev.to | 2021-11-16

    If you are using infrastructure as code, incorporate IaC scanning tools like Apolicy, Checkov, tfsec, or cfn_nag to validate the configuration of your infrastructure before it is created or updated. Similar to other linting tools, apply IaC scanning tools locally and in your pipeline, and consider blocking changes that introduce security issues.

NOTE: The open source projects on this list are ordered by number of github stars. The number of mentions indicates repo mentiontions in the last 12 Months or since we started tracking (Dec 2020). The latest post mention was on 2021-11-29.

Go Security related posts


What are some of the best open-source Security projects in Go? This list will help you:

Project Stars
1 Caddy 35,294
2 hydra 11,778
3 Lean and Mean Docker containers 11,578
4 authelia 10,914
5 bettercap 10,624
6 Gravitational Teleport 10,441
7 cilium 9,647
8 trivy 9,356
9 age 9,214
10 sops 8,641
11 gitleaks 8,625
12 gophish 6,382
13 Blackbox 6,010
14 gosec 5,577
15 chezmoi 5,289
16 lego 4,934
17 kubescape 4,582
18 pouch 4,480
19 aquatone 4,380
20 crowdsec 4,008
21 certmagic 3,826
22 certificates 3,610
23 tfsec 3,531
Find remote jobs at our new job board 99remotejobs.com. There are 34 new remote jobs listed recently.
Are you hiring? Post a new remote job listing for free.
SaaSHub - Software Alternatives and Reviews
SaaSHub helps you find the best software and product alternatives