[deps] Update github.com/securego/gosec/v2 from v2.24.7 to v2.25.0

[github-actions]

Summary

Update github.com/securego/gosec/v2 dependency from v2.24.7 to v2.25.0.

Current State

• Package: github.com/securego/gosec/v2
• Current Version: v2.24.7
• Proposed Version: v2.25.0
• Update Type: Minor version update

Why Separate Issue

⚠️ Minor version update with new security rules and features

• This is a minor version update (v2.24.7 → v2.25.0)
• Adds three new security detection rules (G124, G708, G709)
• Includes dependency updates (grpc bump: 1.75.0 → 1.79.3)
• New rules may flag previously-uncaught issues in the codebase
• Needs individual review to assess impact on existing code and CI

Safety Assessment

⚠️ Requires careful review

• New security rules may produce findings in existing code, requiring fixes or rule suppressions
• grpc dependency bump across multiple minor versions warrants testing
• Performance improvements and false positive fixes are beneficial

Changes

New Security Rules:

• G124: Insecure HTTP cookie configuration
• G708: Server-side template injection via text/template
• G709: Unsafe deserialization of untrusted data

Bug Fixes:

• G117: Reduced false positives for custom marshalers and transformed values
• G118: Eliminated false positives for package-level cancel variables and struct field closures
• G120: Ported from SSA-based to taint analysis (fixes race conditions)
• Fixed infinite recursion in interprocedural taint analysis
• Fixed SSA analysis panic on ill-typed packages

Performance:

• Fixed hang on packages with many CHA call graph edges

Dependency Updates:

• google.golang.org/grpc bumped from 1.75.0 to 1.79.3

New CWE Mappings:

• Added G701–G706 rule-to-CWE mappings
• Added CWE-117, CWE-918 entries

Links

• v2.25.0 Release
• Package Repository
• [Go Package]((pkg.go.dev/redacted)

Recommended Action

go get -u github.com/securego/gosec/v2@v2.25.0
go mod tidy

Then run gosec to check if any new rules (G124, G708, G709) flag existing code:

make lint

If new findings appear, either fix the flagged code or add // #nosec GXX suppressions with justification comments.

Testing Notes

• Run make lint to check if new rules produce any findings in the codebase
• Run make test-unit to verify no regressions
• Check that any gosec rule suppressions (#nosec) are still valid
• Verify the grpc dependency bump doesn't cause indirect conflicts

Warning

⚠️ Firewall blocked 2 domains

The following domains were blocked by the firewall during workflow execution:

• pkg.go.dev
• proxy.golang.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "pkg.go.dev"
    - "proxy.golang.org"

See Network Configuration for more information.

Generated by Dependabot Dependency Checker · ◷

• expires on Mar 25, 2026, 9:36 AM UTC

[github-actions]

🍪 Issue Monster has assigned this to Copilot!

I've identified this issue as a good candidate for automated resolution and assigned it to the Copilot coding agent.

The Copilot coding agent will analyze the issue and create a pull request with the fix.

Om nom nom! 🍪

🍪 Om nom nom by Issue Monster · ◷