If you believe you have found a security issue in the ioFog Go SDK:
- Do not open a public GitHub issue for exploitable vulnerabilities.
- Report through the Eclipse ioFog project security process or contact the maintainers privately with a description, impact, and reproduction steps.
For non-security bugs, use the public issue tracker.
Before release tags, run:
make security-code # gosec on ./pkg/...
make vulncheck # govulncheck + go mod verify
make lint # golangci-lint v2 (gosec intentionally excluded)- gosec runs via
make security-code— not inside golangci-lint (edgelet pattern). - govulncheck scans
./pkg/...and verifies module integrity.
| Rule | Location | Rationale |
|---|---|---|
| G402 | pkg/client/http.go |
Controller deployments commonly use self-signed TLS |
| G101 | pkg/microservices/declarations.go |
Well-known service-account mount path constant, not a credential |
Undocumented #nosec findings fail make security-code.