Hello Go developers and AI agents,
We are excited to announce 
that Sonar now supports Taint Analysis for Go, enabling you to detect injection vulnerabilities in your Go projects!
Supported Security Rules
Our Go Taint Analysis currently supports the following rules:
- Database queries should not be vulnerable to injection attacks
- Extracting archives should not lead to zip slip vulnerabilities
- HTTP request redirections should not be open to forging attacks
- I/O function calls should not be vulnerable to path injection attacks
- Logging should not be vulnerable to injection attacks
- OS commands should not be vulnerable to command injection attacks
- Constructing arguments of system commands from user input is security-sensitive
- Server-side requests should not be vulnerable to forging attacks
- XPath expressions should not be vulnerable to injection attacks
Example of an issue raised by “Change this code to not construct the path from user-controlled data”:
For a complete list of Go security rules, please visit the Sonar Go Rules page.
Feedback
As this is the first release of these 9 injection rules, your feedback is more valuable than ever. Let us know how it works for you and help us make Go development (written by hand or generated by AI) even more secure!
Enjoy!
Alex
Note: this feature and new rules will be part of SonarQube Server 2025.4 (end of July 2025)