OWASP Top 10 coverage, Autofixes, and easy configuration in the Go analyzer

Happy to announce that we are releasing – 5 new security issues, 3 new Autofixes and simpler configuration for our Go analyzer. :rocket:

What’s New?

DeepSource’s Go analyzer now fully covers OWASP’s Top Ten security risk categories. Also, configuring the Go analyzer to your repository is easier than before – no need to manually configure import_paths; just configure import_root and you’re done! And yes, 3 new Autofixes have been added to the Go analyzer.


  • Add new security rule: Detect exposure of sensitive headers (GO-S0901, OWASP A6)
  • Add new security rule: Detect usage of insecure gRPC server (GO-S0902, OWASP A8)
  • Add new security rule: Detect XML package usage vulnerable to XXE attacks (GO-S0903, OWASP A4)
  • Add new security rule: Detect possible usage of Logger for infected user defined data (GO-S0904, OWASP [A1, A10])
  • Add new security rule: Detect usage of encoding/xml – not safe by design for security-critical operation (GO-S0905, OWASP [A2, A9])
  • Add new Autofix: Use plain channel send or receive (SCC-S1000)
  • Add new Autofix: Function call can be replaced with helper function (CRT-A0010)
  • Add new Autofix: Types of function parameters can be combined (CRT-A0017)
  • Configuring Go analyzer is much “simpler” than before – now a single “import_root” field is required. Previously “import_paths” array was mandatory along with “import_root” (in case of multiple import_paths). New change in configuration is backward compatible.