Skip to content

Security: Datasance/iofog-go-sdk

Security

SECURITY.md

Security Policy

Reporting a vulnerability

If you believe you have found a security issue in the ioFog Go SDK:

  1. Do not open a public GitHub issue for exploitable vulnerabilities.
  2. Report through the Eclipse ioFog project security process or contact the maintainers privately with a description, impact, and reproduction steps.

For non-security bugs, use the public issue tracker.

Security gates (maintainers)

Before release tags, run:

make security-code   # gosec on ./pkg/...
make vulncheck       # govulncheck + go mod verify
make lint            # golangci-lint v2 (gosec intentionally excluded)
  • gosec runs via make security-codenot inside golangci-lint (edgelet pattern).
  • govulncheck scans ./pkg/... and verifies module integrity.

Documented gosec exceptions

Rule Location Rationale
G402 pkg/client/http.go Controller deployments commonly use self-signed TLS
G101 pkg/microservices/declarations.go Well-known service-account mount path constant, not a credential

Undocumented #nosec findings fail make security-code.

There aren't any published security advisories