Update gosec from v2.22.11 to v2.23.0

[Copilot]

Update gosec from v2.22.11 to v2.23.0

• Understand the issue requirements
• Explore repository structure and build/test commands
• Update gosec dependency to v2.23.0
  • Run go get -u github.com/securego/gosec/v2@v2.23.0
  • Run go mod tidy
  • Update Makefile gosec version reference (line 158)
  • Handle golang.org/x/tools v0.42.0 compatibility issue (downgraded to v0.41.0)
• Verify the update
  • Run make fmt to format code
  • Run make lint to run linters including gosec
  • Run make security-gosec to specifically test gosec
  • Note: Unrelated test failures in TestGetActionPinsSorting are pre-existing and not related to gosec update
• Final validation
  • gosec v2.23.0 successfully installed and functional
  • All linters pass
  • Changes committed
• Merge main branch and recompile
  • Merged origin/main (commits 0db50d8 and 50cc1f9)
  • Ran make recompile - no workflow changes needed
  • Working tree clean

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[deps]Update github.com/securego/gosec from v2.22.11 to v2.23.0</issue_title>
<issue_description>## Summary
Update github.com/securego/gosec dependency from v2.22.11 to v2.23.0

Current State

• Package: github.com/securego/gosec/v2
• Current Version: v2.22.11
• Proposed Version: v2.23.0
• Update Type: Minor

Why Separate Issue

⚠️ Minor version update with new features

• This is a minor version update (v2.22.11 → v2.23.0)
• Adds new taint analysis engine feature
• Multiple enhancements and refactorings
• May affect security scanning behavior
• Needs individual review and testing

Safety Assessment

⚠️ Requires careful review

• Minor version update indicates new features
• New taint analysis engine may change scan results
• Multiple rule enhancements may detect new issues
• Performance optimizations may affect scan times
• Review security scan output carefully after update

Changes

Major Features:

• Added taint analysis engine support (Refactor safe-outputs MCP server tools: Extract to JSON and pre-filter in Go #1486)
• New G117 rule for secrets serialization detection
• Enhanced SQL injection detection with improved string concatenation checks
• Enhanced subprocess variable checks
• Added support for detecting high entropy strings in composite literals

Improvements:

• Optimize analyzer with parallel package processing
• Implement entropy pre-filtering to optimize secret detection
• Enhance slice bounds analysis with dynamic bounds handling
• Support path-based rule exclusions via exclude-rules
• Multiple performance optimizations to reduce allocations

Bug Fixes:

• Fix G602 analyzer panic that kills gosec process
• Fix SARIF artifactChanges null validation error
• Fix nosec comments to work with trailing open brackets (Add support for @import as alias for @include in markdown workflows #1240)
• Fix URL regexp and remove redundant Google regex patterns

Links

• v2.23.0 Release
• Package Repository
• [Go Package]((pkg.go.dev/redacted)

Recommended Action

go get -u github.com/securego/gosec/v2@v2.23.0
go mod tidy

Testing Notes

• Run all tests: make test-unit
• Run security scanner: make lint (includes gosec)
• Review security scan results for new findings
• Check that no false positives are introduced
• Verify performance is acceptable
• Test with existing gosec configurations

Generated by Dependabot Dependency Checker

• expires on Feb 18, 2026, 9:27 AM UTC

Comments on the Issue (you are @copilot in this section)

• Fixes [deps]Update github.com/securego/gosec from v2.22.11 to v2.23.0 #16065

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[pelikhan]

@copilot merge main and recompile

[Copilot]

@copilot merge main and recompile

Merged main and recompiled workflows. Commit: 093c8b0

The merge included:

• Update actionlint v1.7.10 → v1.7.11
• Weekday scheduling recommendations

No workflow recompilation changes were needed.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/repos/actions/setup-go/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v6 --jq .object.sha (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq .object.sha (http block)
• https://api.github.com/user
  • Triggering command: /usr/bin/gh gh api user --jq .login ACCEPT (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[Copilot]

Pull request overview

This PR updates the gosec security scanner from v2.22.11 to v2.23.0, a minor version update that adds new features including a taint analysis engine and the G117 rule for secrets serialization detection. The update also includes several transitive dependency updates from the MCP SDK and other packages.

Changes:

• Updated gosec direct dependency from v2.22.11 to v2.23.0 in go.mod
• Updated Makefile gosec installation command to v2.23.0
• Updated go.sum with new checksums for gosec and transitive dependencies (anthropic-sdk-go, openai-go, google.genai, golang.org/x/net, golang.org/x/telemetry, google/pprof, onsi/ginkgo, onsi/gomega)

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated no comments.

File	Description
go.mod	Updated gosec from v2.22.11 to v2.23.0 (line 19); updated transitive dependencies including anthropic-sdk-go v1.22.0, openai-go v3.18.0, google.genai v1.45.0, golang.org/x/net v0.50.0, golang.org/x/telemetry
go.sum	Added checksums for gosec v2.23.0 and updated transitive dependencies; properly maintains golang.org/x/tools at v0.41.0 per compatibility requirements
Makefile	Updated gosec installation version from v2.22.11 to v2.23.0 in security-gosec target (line 158)

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.