Sqreen's Application Security Management for the Go language

Overview

Sqreen for Go

Sqreen's Application Security Management for Go

After performance monitoring (APM), error and log monitoring it’s time to add a security component into your app. Sqreen’s microagent automatically monitors sensitive app’s routines, blocks attacks and reports actionable infos to your dashboard.

Sqreen for Go

Sqreen provides automatic defense against attacks:

  • Protect with security modules: RASP (Runtime Application Self-Protection), in-app WAF (Web Application Firewall), Account takeovers and more.

  • Sqreen’s modules adapt to your application stack with no need of configuration.

  • Prevent attacks from the OWASP Top 10 (Injections, XSS and more), 0-days, data Leaks, and more.

  • Create security automation playbooks that automatically react against your advanced business-logic threats.

For more details, visit sqreen.com

Quick start

  1. Use the middleware function for the Go web framework you use:

    If your framework is not listed, it is usually possible to use instead the standard net/http middleware. If not, please, let us know by creating an issue.

  2. Compile your program with Sqreen

    Sqreen's dynamic configuration of your protection is made possible thanks to Go instrumentation. It is safely performed at compilation time by the following instrumentation tool.

    Install the following instrumentation tool and compile your program using it in order to enable Sqreen.

    1. Use go install to compile the instrumentation tool:

      $ go install github.com/sqreen/go-agent/sdk/sqreen-instrumentation-tool

      By default, the resulting sqreen-instrumentation-tool tool is installed in the bin directory of the GOPATH. You can find it using go env GOPATH.

    2. Configure the Go toolchain to use it:

      Use the instrumentation tool using the go options -a -toolexec /path/to/sqreen-instrumentation-tool.

      It can be done either in your Go compilation command lines or by setting the GOFLAGS environment variable.

      For example, the following two commands are equivalent:

      $ go build -a -toolexec $(go env GOPATH)/bin/sqreen-instrumentation-tool my-project
      $ env GOFLAGS="-a -toolexec $(go env GOPATH)/bin/sqreen-instrumentation-tool" go build my-project
  3. Signup to Sqreen to get your app credentials:

    app_name: Your Go app name
    token: your token

    This file can be stored in your current working directory when starting the executable, the same directory as your app's executable file, or in any other path by defining the configuration file location into the environment variable SQREEN_CONFIG_FILE.

Congratulations, your Go web application is now protected by Sqreen!

Sqreen for Go

Advanced integration

Optionally, use the SDK to perform user monitoring or custom security events you would like to track and possibly block.

Comments
  • agent: making agent internals private

    agent: making agent internals private

    Move the agent internals into a package named internal, which makes it importable from parent packages only, and thus impossible to import from outside packages.

    It is therefore required to separate the SDK dependency to the agent internals by defining a Go interface including everything it expects from the agent. The agent automatically "sets itself" on initialization. When the agent is not included, the SDK uses a disabled agent, which no-ops everything.

    A consequence is that it is easy now to unit-test the SDK with 100% coverage by simply mocking the agent and checking everything.

    Related to SQR-5192, SQR-5204, SQR-5242 and SQR-5262.

    opened by Julio-Guerra 5
  • sdk/middleware/sqgin: fix request ctx

    sdk/middleware/sqgin: fix request ctx

    This fixes a bug where gin's c.Request's context gets overwritten by the sqgin middleware

    If you set some values in the context of c.Request, you won't be able to retrieve them after sqgin's 'middlewareHandler' has done its work

    bug 
    opened by amnay-mo 2
  • Optimize the WAF with large requests

    Optimize the WAF with large requests

    Enforce a few memory limits so that the new benchmark is fast enough (ie. ~1ms max) no matter the input request.

    To do so:

    • the binding accessor execution limits its maximum traversal depth.
    • the binding accessor transformation limits its number of results and traversal depth.
    • WAF value marshaling has been optimized in https://github.com/sqreen/go-libsqreen/pull/8 using the new benchmark.

    A lot of new tests have been added to cover hopefully every possible case.

    enhancement internals 
    opened by Julio-Guerra 2
  • Configurable blocking security response

    Configurable blocking security response

    Make the existing blocking security response HTTP handler configurable by Sqreen rules received at run time. This feature introduces the first building blocks of "dynamic instrumentation" for Go, in particular a hooking library in pure Go.

    • [x] API to get the list of rules
    • [x] Implement the rules reloading agent command.
    • [x] Adapt the agent logic of instrumentation enable/disable with rules reloading.
    • [x] Implement the rule engine required for this feature and this rule.
    • [x] Implement a hooking library for Go that will be used in the security response's HTTP handler.
    • [x] Add a hook into the security response HTTP handler.
    • [x] Implement the callback factory used by the rule engine to instantiate callbacks to be attached to a hook.
    • [x] Add a development configuration option to add local rules.
    opened by Julio-Guerra 2
  • Release v0.1.0-beta.5

    Release v0.1.0-beta.5

    | # | x | Content | Record | | :----: | :-: | ----- | ----- | | 0 | x | Ensure that the release schedule is followed | | | 1 | x | Check the pull requests on the agent. Any left open should have a good reason to be | | | 2 | x | Make sure every projected ticket for this release in Jira has been resolved. Move them otherwise. | | | 3 | x | Check pull requests on ShieldRules and other actions on Rules | N/A | | 4 | N/A | Launch integrations tests on the release PR | N/A | | 5 | x | Perform manual tests against current production backend | | | 6 | x | Perform performance tests | perf-tests | | 7 | x | Update CHANGELOG.md | | | 8 | x | Update the documentation, including the release note | https://github.com/sqreen/Documentation/pull/438 | | 9 | x | Update Agent feature matrix | agent-matrix | | 10 | N/A | Deploy rules to enable a new agent feature. Ensure the rule includes the agent's version. | | | 11 | x | Organize a dogfooding session. Target the common architectures of our clients. | |

    release 
    opened by Julio-Guerra 2
  • Release v0.1.0 beta.3

    Release v0.1.0 beta.3

    | # | x | Content | Record | | :----: | :-: | ----- | ----- | | 0 | x | Ensure that you are respecting the release schedule (only release every other week in normal circumstances) | | | 1 | x | Check the pull requests on the agent. Any left open should have a good reason to be | | | 2 | N/A | If the release already exist in Jira, make sure every projected ticket for this release has been resolved. Create it otherwise. | | | 3 | N/A | Check pull requests on ShieldRules and other actions on Rules. | | | 4 | x | Launch integrations tests on the PR. Meanwhile, perform manual tests against current production backend. | | | 5 | x | Perform performance tests | | | 6 | x | Update Changelog in the agent GIT repo | | | 7 | x | Add potential changes of agent behavior to the agents documentation | | | 8 | x | Update Agent feature matrix | | | 9 | N/A | Merge PR (expect for Go) | | | 10 | N/A | If a rule need to be deployed to enable a new agent feature, it should be deployed then. Ensure rule is versioned accordingly to this agent's version. | | | 11 | x | Organize a dogfooding session with your buddy (1h+). Target the common architectures of our clients. | | | 12 | N/A | Trigger one click deploy on Jenkins or merge to master for Go. | | | 13 | N/A | For PHP only, create new version for extension (and / or daemon) in Admin interface | | | 14 | X | Create PR with release notes in documentation repository | | | 15 | N/A | Update agents of Sqreen services to use latest agent versions (e.g. Python: Back-End, Java: Jenkins, ...). | | | 16 | X | Send an email to the team regarding the release. | |

    release 
    opened by Julio-Guerra 2
  • sdk/middleware/sqiris: middleware function for Iris

    sdk/middleware/sqiris: middleware function for Iris

    • [x] Middleware function for Iris.
    • [x] Iris-specific FromContext() function as Iris' context does not implement the Go context interface
    • [ ] Wait for kataras/iris#1180 to be able to modify the request and be able to use sdk.FromContext().

    Closes SQR-5407

    enhancement sdk 
    opened by Julio-Guerra 2
  • Jenkinsfile Update

    Jenkinsfile Update

    I checked the Jenkinsfile and i was wondering, why you do not just use containers with the dependencies you need in different steps ?

    You could have a container with make, one with go, one with codecov and run it instead of building your own image no ?

    You can keep yours for local dev still :)

    You don't have to use only one container for your build :)

    You would write it like so : ! This is not valid syntax, it's just to explain the idea

    podTemplate(containers: [go, make, codecov]) { stage('Tests') { parallel([ 'Regular': { container('go') { sh 'go env'

                           }
                           container('make') { 
                                 sh 'make test'
                            }
                        },
                        'With coverage': {
                             container('make') { 
                                sh 'make test-coverage'
                            }
                            container('codevov') { 
                                codecov.analyze('codecov-agent-go-token')
                            }
                        },
                        'With race detection': {
                            container('make') { 
                                 sh 'make test-race'
                            }
                        }
                    ])
    

    }

    enhancement 
    opened by QuentinBisson 2
  • Version in `./internal/version/version.go` shows 1.0.4  (for the 1.0.5 tag / master)

    Version in `./internal/version/version.go` shows 1.0.4 (for the 1.0.5 tag / master)

    The version located in internal/version/version.go is 1.0.4 - but the repo is tagged at 1.0.5

    This makes it a bit confusing when you build the instrumentation agent and it says 1.0.4 even though you're pulling down the 1.0.5 tagged code.

    opened by bwalding 1
  • agent/protection/http: lazy access to post form values

    agent/protection/http: lazy access to post form values

    Remove the current call to ParseForm() in the middlewares in favor of a direct access to the cached value in the Request structure. This value is not nil when the request handler has called ParseForm() itself. Meaning that the In-WAF and RASP protections will now only consider the POST form values of the request when actually parsed by the request handler.

    Note that the In-App WAF is now dynamically attached to ParseForm() which returns a non-nil error of type *SqreenError when blocked by the In-App WAF (cf. https://docs.sqreen.com/go/integration for more details).

    This fixes the usage of the Go agent in a reverse proxy server where the agent was consuming the body because of the call to ParseForm(), making later reads to Request.Body return EOF. A server can now correctly copy the request body.

    bug 
    opened by Julio-Guerra 1
  • In-App WAF

    In-App WAF

    The Web-Application Firewall allows to block HTTP requests as early as possible. The WAF rules are configured into the dashboard and can either monitor or block the request when they matched.

    Implementation:

    • [x] Add a binding accessor expression compiler to dynamically get data from a given data context
    • [x] Adapt the rule engine to call a Close() method when a callback is removed in order to release C++ library memory which is out of the GC's scope.
    • [x] Adapt the rule context passed to callbacks in order to create WAF attack events.
    • [x] Refactor the request record into its own package in order to be able to use it from callbacks to add WAF attack events.
    • [x] Add a new in-app WAF callback using the bindings to the C++ WAF library:
      • [x] Compile binding accessor expressions provided by the in-app WAF rule.
      • [x] Convert the resulting Go value to the expected C++ WAF library input values.
      • [x] Add a new hookpoint suitable for the in-app WAF callback early in the request handling.
    enhancement 
    opened by Julio-Guerra 1
  • build(deps): bump github.com/labstack/echo/v4 from 4.1.17 to 4.9.0

    build(deps): bump github.com/labstack/echo/v4 from 4.1.17 to 4.9.0

    Bumps github.com/labstack/echo/v4 from 4.1.17 to 4.9.0.

    Release notes

    Sourced from github.com/labstack/echo/v4's releases.

    v4.9.0

    Security

    • Fix open redirect vulnerability in handlers serving static directories (e.Static, e.StaticFs, echo.StaticDirectoryHandler) #2260

    Enhancements

    • Allow configuring ErrorHandler in CSRF middleware #2257
    • Replace HTTP method constants in tests with stdlib constants #2247

    v4.8.0

    Most notable things

    You can now add any arbitrary HTTP method type as a route #2237

    e.Add("COPY", "/*", func(c echo.Context) error 
      return c.String(http.StatusOK, "OK COPY")
    })
    

    You can add custom 404 handler for specific paths #2217

    e.RouteNotFound("/*", func(c echo.Context) error { return c.NoContent(http.StatusNotFound) })
    

    g := e.Group("/images") g.RouteNotFound("/*", func(c echo.Context) error { return c.NoContent(http.StatusNotFound) })

    Enhancements

    • Add new value binding methods (UnixTimeMilli,TextUnmarshaler,JSONUnmarshaler) to Valuebinder #2127
    • Refactor: body_limit middleware unit test #2145
    • Refactor: Timeout mw: rework how test waits for timeout. #2187
    • BasicAuth middleware returns 500 InternalServerError on invalid base64 strings but should return 400 #2191
    • Refactor: duplicated findStaticChild process at findChildWithLabel #2176
    • Allow different param names in different methods with same path scheme #2209
    • Add support for registering handlers for different 404 routes #2217
    • Middlewares should use errors.As() instead of type assertion on HTTPError #2227
    • Allow arbitrary HTTP method types to be added as routes #2237

    v4.7.2

    Fixes

    • Fix nil pointer exception when calling Start again after address binding error #2131
    • Fix CSRF middleware not being able to extract token from multipart/form-data form #2136
    • Fix Timeout middleware write race #2126

    Enhancements

    ... (truncated)

    Changelog

    Sourced from github.com/labstack/echo/v4's changelog.

    v4.9.0 - 2022-09-04

    Security

    • Fix open redirect vulnerability in handlers serving static directories (e.Static, e.StaticFs, echo.StaticDirectoryHandler) #2260

    Enhancements

    • Allow configuring ErrorHandler in CSRF middleware #2257
    • Replace HTTP method constants in tests with stdlib constants #2247

    v4.8.0 - 2022-08-10

    Most notable things

    You can now add any arbitrary HTTP method type as a route #2237

    e.Add("COPY", "/*", func(c echo.Context) error 
      return c.String(http.StatusOK, "OK COPY")
    })
    

    You can add custom 404 handler for specific paths #2217

    e.RouteNotFound("/*", func(c echo.Context) error { return c.NoContent(http.StatusNotFound) })
    

    g := e.Group("/images") g.RouteNotFound("/*", func(c echo.Context) error { return c.NoContent(http.StatusNotFound) })

    Enhancements

    • Add new value binding methods (UnixTimeMilli,TextUnmarshaler,JSONUnmarshaler) to Valuebinder #2127
    • Refactor: body_limit middleware unit test #2145
    • Refactor: Timeout mw: rework how test waits for timeout. #2187
    • BasicAuth middleware returns 500 InternalServerError on invalid base64 strings but should return 400 #2191
    • Refactor: duplicated findStaticChild process at findChildWithLabel #2176
    • Allow different param names in different methods with same path scheme #2209
    • Add support for registering handlers for different 404 routes #2217
    • Middlewares should use errors.As() instead of type assertion on HTTPError #2227
    • Allow arbitrary HTTP method types to be added as routes #2237

    v4.7.2 - 2022-03-16

    Fixes

    • Fix nil pointer exception when calling Start again after address binding error #2131
    • Fix CSRF middleware not being able to extract token from multipart/form-data form #2136
    • Fix Timeout middleware write race #2126

    ... (truncated)

    Commits
    • 16d3b65 Changelog for 4.9.0
    • 0ac4d74 Fix #2259 open redirect vulnerability in echo.StaticDirectoryHandler (used by...
    • d77e8c0 Added ErrorHandler and ErrorHandlerWithContext in CSRF middleware (#2257)
    • 534bbb8 replace POST constance with stdlib constance
    • fb57d96 replace GET constance with stdlib constance
    • d48197d Changelog for 4.8.0
    • cba12a5 Allow arbitrary HTTP method types to be added as routes
    • a327884 add:README.md-Third-party middlewares-github.com/go-woo/protoc-gen-echo
    • 61422dd Update CI-flow (Go 1.19 +deps)
    • a9879ff Middlewares should use errors.As() instead of type assertion on HTTPError
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 0
  • build(deps): bump github.com/gin-gonic/gin from 1.3.0 to 1.7.0

    build(deps): bump github.com/gin-gonic/gin from 1.3.0 to 1.7.0

    Bumps github.com/gin-gonic/gin from 1.3.0 to 1.7.0.

    Release notes

    Sourced from github.com/gin-gonic/gin's releases.

    Release v1.7.0

    BUGFIXES

    • fix compile error from #2572 (#2600)
    • fix: print headers without Authorization header on broken pipe (#2528)
    • fix(tree): reassign fullpath when register new node (#2366)

    ENHANCEMENTS

    • Support params and exact routes without creating conflicts (#2663)
    • chore: improve render string performance (#2365)
    • Sync route tree to httprouter latest code (#2368)
    • chore: rename getQueryCache/getFormCache to initQueryCache/initFormCa (#2375)
    • chore(performance): improve countParams (#2378)
    • Remove some functions that have the same effect as the bytes package (#2387)
    • update:SetMode function (#2321)
    • remove a unused type SecureJSONPrefix (#2391)
    • Add a redirect sample for POST method (#2389)
    • Add CustomRecovery builtin middleware (#2322)
    • binding: avoid 2038 problem on 32-bit architectures (#2450)
    • Prevent panic in Context.GetQuery() when there is no Request (#2412)
    • Add GetUint and GetUint64 method on gin.context (#2487)
    • update content-disposition header to MIME-style (#2512)
    • reduce allocs and improve the render WriteString (#2508)
    • implement ".Unwrap() error" on Error type (#2525) (#2526)
    • Allow bind with a map[string]string (#2484)
    • chore: update tree (#2371)
    • Support binding for slice/array obj [Rewrite] (#2302)
    • basic auth: fix timing oracle (#2609)
    • Add mixed param and non-param paths (port of httprouter#329) (#2663)
    • feat(engine): add trustedproxies and remoteIP (#2632)

    Improve performance

    ENHANCEMENTS

    • Improve performance: Change *sync.RWMutex to sync.RWMutex in context. #2351

    release v1.6.2

    Release Notes

    • BUGFIXES
      • fix missing initial sync.RWMutex (#2305)
    • ENHANCEMENTS
      • Add set samesite in cookie. (#2306)

    Contributors

    release v1.6.1

    ... (truncated)

    Changelog

    Sourced from github.com/gin-gonic/gin's changelog.

    Gin v1.7.0

    BUGFIXES

    • fix compile error from #2572 (#2600)
    • fix: print headers without Authorization header on broken pipe (#2528)
    • fix(tree): reassign fullpath when register new node (#2366)

    ENHANCEMENTS

    • Support params and exact routes without creating conflicts (#2663)
    • chore: improve render string performance (#2365)
    • Sync route tree to httprouter latest code (#2368)
    • chore: rename getQueryCache/getFormCache to initQueryCache/initFormCa (#2375)
    • chore(performance): improve countParams (#2378)
    • Remove some functions that have the same effect as the bytes package (#2387)
    • update:SetMode function (#2321)
    • remove a unused type SecureJSONPrefix (#2391)
    • Add a redirect sample for POST method (#2389)
    • Add CustomRecovery builtin middleware (#2322)
    • binding: avoid 2038 problem on 32-bit architectures (#2450)
    • Prevent panic in Context.GetQuery() when there is no Request (#2412)
    • Add GetUint and GetUint64 method on gin.context (#2487)
    • update content-disposition header to MIME-style (#2512)
    • reduce allocs and improve the render WriteString (#2508)
    • implement ".Unwrap() error" on Error type (#2525) (#2526)
    • Allow bind with a map[string]string (#2484)
    • chore: update tree (#2371)
    • Support binding for slice/array obj [Rewrite] (#2302)
    • basic auth: fix timing oracle (#2609)
    • Add mixed param and non-param paths (port of httprouter#329) (#2663)
    • feat(engine): add trustedproxies and remoteIP (#2632)

    Gin v1.6.3

    ENHANCEMENTS

    • Improve performance: Change *sync.RWMutex to sync.RWMutex in context. #2351

    Gin v1.6.2

    BUGFIXES

    • fix missing initial sync.RWMutex #2305

    ENHANCEMENTS

    • Add set samesite in cookie. #2306

    Gin v1.6.1

    BUGFIXES

    • Revert "fix accept incoming network connections" #2294

    ... (truncated)

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 0
  • Custom Error Response

    Custom Error Response

    Hi -

    I was looking through the library and there's currently no way to write a different error other than the html and response code that Sqreen sends.

    I would like to show a custom error message on our React app when Sqreen shows an aborted request. I did notice that there were hooks in the internal package to enable those error messages, but maybe I missed it in my quick scan to be able to hook into those hooks?

    I would set a custom status code in the Sqreen dashboard but that's not possible (only allows 400-599 status codes).

    Thanks!

    feedback 
    opened by sdalezman 4
Releases(v1.0.6)
  • v1.0.3(Mar 15, 2021)

    Fix

    • IP headers parsing with IPv6 addresses:
      Fix the parsing of IP headers such as X-Forwarded-For in presence of IPv6 addresses. IPv6 addresses were mistakenly split by host and port number, later leading to IP parsing issues and thus ignoring the address.
    Source code(tar.gz)
    Source code(zip)
  • v1.0.2(Mar 15, 2021)

    Fix

    • Configuration:
      Use the configuration key proxy both as an HTTP and HTTPS proxy setting.

    • sdk/sqreen-instrumentation-tool:
      Fix filepath generation on Windows.

    Source code(tar.gz)
    Source code(zip)
  • v1.0.1(Feb 16, 2021)

    Fix

    • Fix Sqreen's overhead rate calculation when the observed execution time is 0. This situation can happen when the execution timer wasn't precise enough in order to observe fast execution times.

    Internal Changes

    • Add a new backend url configuration key ingestion_url for validation testing.
    Source code(tar.gz)
    Source code(zip)
  • v1.0.0(Nov 19, 2020)

    New Features

    • (#172) New SDK convenience function:
      Add a new helper function sdk.FromRequest() allowing to retrieve Sqreen's request context and perform SDK calls. It is equivalent to sdk.FromContext(r.Context()).

    • (#156) Performance monitoring:
      Monitor the execution time of requests protected by Sqreen. Optionally, it is possible to enforce the maximum amount of time Sqreen is allowed to run per request: Sqreen's monitoring and protections will only run for the given amount of time. This option is disabled by default and should be used with caution as it can lead to partially protected requests.
      The resulting performance monitoring diagrams and settings are available at https://my.sqreen.com/application/goto/settings/performance.
      Note that the execution time diagram cannot be used as a strict Application Performance Monitoring diagram as it is based on a lossy representation. It gives rough estimates of the actual execution time.

    • (#170) Transparent response writer instrumentation:
      Make the HTTP response writer instrumentation transparent by providing the same set of interfaces as the instrumented HTTP response writer. The set of interfaces is currently every optional net/http response writer interface, along with some relevant io interfaces, among which:

      • http.Flusher: for HTTP streaming support (multipart, chunked...).
      • http.Pusher: for HTTP2 server push support.
      • http.Hijacker: for websocket server support (experimental).
      • io.ReaderFrom: for optimized copies (eg. file copies).
      • io.WriteString: for optimized string copies.
    • (#163) HTTP status code 404 (not found) monitoring:
      Automatically log a security event when the response status code is 404. This event is used by an internal Sqreen backend playbook to detect security scans.

    • (#163) Scalable security event throughput:
      To be able to handle a higher throughput of security events, the agent can now scale its number of goroutines. An extra goroutine is created every time the internal event queue is full, up to the number of available CPUs. Note that the agent still drops security events when the event queue is full in order to avoid slowing down the host application.

    • (#165) Agent errors in the request hot-path:
      To avoid slowing down request handlers, agent errors happening in the request hot path are now logged based on an exponential backoff algorithm.
      This is disabled when the agent log level is debug.

    Breaking Change

    • (#168) SDK return values:
      The SDK function and method return values are no longer pointer values but Go interface values. This may break integrations using explicit SDK return types, and we recommend to instead use type-inference when possible. This change will allow us to transparently change the actual return values without involving any further breaking change.
      As of today, the actual return value is a structure small enough to be returned by value in order to save memory-allocation and garbage-collection time. Returning an interface value allows to hide such implementation detail.

    Fixes

    • (#167) Playbook security response events:
      Fix playbook security response events (blocking or redirecting a user or ip) so that Sqreen's dashboard can properly display them and link them to their source playbook.

    • (#169) SQL-injection protection with Elastic APM:
      Fix the detection of the SQL dialect when the SQL driver is instrumented by Elastic's APM tracer. This requires Elastic's Go agent version greater than v1.9.0.

    • (#164) Echo middleware:
      Fix the response status code monitoring when Echo's request handlers return an error.

    • (#166) Gin middleware:
      Fix the response content-length monitoring of default responses (ie. when the handler does nothing).

    Source code(tar.gz)
    Source code(zip)
  • v0.16.1(Sep 30, 2020)

    Fixes

    • (#158) PII: make the PII scrubbing of In-App WAF attack events case-insensitive in order to correctly scrub transformed request parameters.

    • (#159) Monitoring: fix the content type and length monitoring of HTTP responses.

    • (#157) Gin middleware: use the request Go context instead of Gin's so that the agent can properly manage the request execution context, but also to correctly propagate values stored in the Go context before the middleware function.

    Source code(tar.gz)
    Source code(zip)
  • v0.16.0(Sep 22, 2020)

    New Features

    • (#155) Add Echo v4 support with a new middleware function provided by package github.com/sqreen/go-agent/sdk/middleware/sqecho/v4.

    • (#152) Add In-App WAF protection to Echo's request parameter parser: Context's method Bind() is now protected by the In-App WAF. The Go value it parses from the HTTP request is made available to the In-App WAF rules via the GET/POST parameters field.
      When blocked, Bind() returns a non-nil SqreenError value and its caller should immediately return.
      Read more about the blocking behavior at https://docs.sqreen.com/go/integration.

    Fix

    • (#153) RASP shellshock: properly handle environment variables containing variable definitions (eg. TERMCAP).
    Source code(tar.gz)
    Source code(zip)
  • v0.15.0(Sep 10, 2020)

    New Feature

    • (#149) Add activity monitoring of RASP protections. The number of times a protection has been used in the application is now displayed on the Activity tab of each RASP protection dashboard page.

    Fixes

    • (#148) Fix the usage of the Go agent in a reverse proxy server: avoid automatically reading a POST request's body because of the former usage of Request.ParseForm() in Sqreen's middleware functions, and rather get POST form values from Request.PostForm, and URL query values from Request.URL.Query().
      Note that since Request.PostForm's value is assigned by Request.ParseForm(), the In-WAF and RASP protections will now consider POST form values when the request handler will have called Request.ParseForm() itself for its own needs.
      Therefore, the In-App WAF is now also attached to ParseForm() to monitor the resulting POST form values, which can return a non-nil error when an attack is detected (cf. https://docs.sqreen.com/go/integration for more Go integration details).

    • (ef81fc2) Enforce a request body reader to ignore it when blocked by the In-App WAF by returning it 0 bytes read along with the current non-nil error. This allows for example io.LimitReader not to copy the body buffer despite the non-nil error returned by the In-App WAF protection.

    Source code(tar.gz)
    Source code(zip)
  • v0.14.0(Sep 2, 2020)

    New Feature

    Fixes

    • (#145) In-App WAF: always recover from panics as this in the way the reflect package handles usage errors.

    • (#144) Backend client: avoid dropping HTTP traces in case of Host header parsing errors.

    Source code(tar.gz)
    Source code(zip)
  • v0.13.0(Jul 24, 2020)

    New Feature

    Internal Changes

    • (#138) Health-check the HTTPS connectivity to the new backend API ingestion.sqreen.com before using it. Fallback to the usual back.sqreen.com in case of a connection issue. Therefore, the agent can take up to 30 seconds to connect to Sqreen if the health-check timeouts. Please make sure to add this new domain to your firewall or proxy configurations.

    • (#136) Add support to attach multiple security protections per hook point.

    Fixes

    • (#140) Fix the In-App WAF metadata PII scrubbing to also match substrings.
    Source code(tar.gz)
    Source code(zip)
  • v0.12.1(Jul 13, 2020)

    Fixes

    • (d81222d) Add missing request parameters when both JSON values and form values were present - only the form values were taken into account.

    • (ee22b77) Upgrade the In-App WAF library to v0.7.0:

      • Fix false positives in libinjection SQL heuristics.
      • Fix a false positive in libinjection XSS heuristics.
      • Add support for boolean values.
      • Add support for float values.
      • Fix memory deallocator of scalar values.
    • (c203264) Fix data bindings with null values.

    Internal Changes

    • (c425760) Avoid copying the metadata returned by the In-App WAF.
    Source code(tar.gz)
    Source code(zip)
  • v0.12.0(Jul 6, 2020)

    New Features

    • (#130) In-App WAF protection of the HTTP request body:
      Since the HTTP request handler needs to explicitly read the request body, and ultimately parse it into a Go value, the In-App WAF is now applied to new points in the request lifecycle:

      1. Reading the request body is now monitored until EOF is reached, and the raw body bytes are made available to the In-App WAF rules via a new In-App WAF field Body. Note that such In-App WAF rules can be created on custom In-App WAF rulesets only.

      2. Parsers can be now protected by the In-App WAF once they have parsed a request input into a Go value. The parsed value is made available to the In-App WAF rules via the GET/POST parameters field. Every existing In-App WAF rule using this field therefore applies.
        This new feature is firstly deployed on Gin's ShouldBind() method which is Gin's function to parse HTTP request values. It allows to cover every parser Gin provides such as BindJSON(), BindXML(), etc.

      When blocked, the function returns a non-nil SqreenError value and the caller should immediately return.
      Read more about the blocking behavior of Sqreen for Go at https://docs.sqreen.com/go/integration.

    • (#129) Update Sqreen's blocking HTML page with a clearer description of what users getting it should do.

    Fix

    • (794d6e2) Allow port numbers in the X-Forwarded-For header.
    Source code(tar.gz)
    Source code(zip)
  • v0.11.0(Jun 19, 2020)

    New Features

    • (#119) RASP: add Shell Injection protection support. This protection is currently dynamically applied to os.StartProcess() which is the only entry point of the Go standard library to execute a process. This protection can be configured at https://my.sqreen.com/application/goto/modules/rasp/details/shi.

    • (#119) RASP: add Local File Inclusion protection support. This protection is currently dynamically applied to os.Open() which is the only entry point of the Go standard library to open a file for reading. This protection can be configured at https://my.sqreen.com/application/goto/modules/rasp/details/lfi.

    • (#120) RASP: add Server-Side Request Forgery protection support. This protection is currently dynamically applied to net/http.(*Client).do() which is the only entry point of the Go standard library to perform an HTTP request. This protection can be configured at https://my.sqreen.com/application/goto/modules/rasp/details/ssrf.

    • (#125) RASP: enable SQL Injection protection for every MySQL, Oracle, SQLite and PostgreSQL drivers listed in the Go language wiki page https://github.com/golang/go/wiki/SQLDrivers.

    • (#115) RASP: store Sqreen's request protection context into the Goroutine Local Storage (GLS). Therefore, Sqreen can now protect every Go function without requiring the request Go context (eg. both QueryContext() and Query() can be now protected against SQL injections). For now, this protection context is only available in the goroutine handling the request, and sub-goroutines are not protected. Further support will be added very soon to remove this limitation.

    • (#121) Add IP denylist support: block every request performed by an IP address of the denylist. Every usage of whitelist and blacklist in the agent was also removed when possible. The IP denylist can be configured at https://my.sqreen.com/application/goto/settings/denylist.

    • (#122) Add path passlist support: requests performed on those paths are not monitored nor protected by Sqreen. The Path passlist can be configured at https://my.sqreen.com/application/goto/settings/passlist.

    • (#123) Export the error type returned by Sqreen protections when blocking in the new SDK package github.com/sqreen/go-agent/sdk/types in order to avoid retrying blocked function calls (eg. avoid retrying a blocked SQL query). It must be used along with errors.As() to detect such cases. Read more at https://godoc.org/github.com/sqreen/go-agent/sdk/types.

    • (#124) Allow to "quickly" remove the agent from a program by only removing it from the source code without disabling the program instrumentation. This is made possible by making the instrumentation fully autonomous to avoid compilation errors.

    Fixes

    • Gin Middleware: fix the HTTP status code monitoring that was possibly changed by Gin after having been already written.

    Internal Changes

    • (#126) Cache request value lookups, mainly to accelerate the In-App WAF when lots of rulesets are enabled.

    • (#117) Simpler Go vendoring support implementation.

    • (#113) Significant JavaScript performance improvements by changing the virtual machine to github.com/dop251/goja.

    • (#114) Add Goroutine Local Storage (GLS) support through static instrumentation of the Go runtime.

    Source code(tar.gz)
    Source code(zip)
  • v0.10.1(Jun 5, 2020)

  • v0.10.0(May 20, 2020)

    New Features

    • (#109) Make the PII sanitizer configurable with two new configuration entries allowing to control the regular expressions used to sanitize everything sent to Sqreen. The agent doesn't start in case of an invalid regular expression. Read more on how it works on this page.

    • (#110) The net/http middleware now includes URL segments in the request parameters to increase the coverage we have on frameworks compatible with it, such as gorilla or beego.

    Internal Changes

    • (#107) Backend API: integrate the security signal HTTP API.

    Fixes

    • (#108) Update the token validation to correctly handle the new token format.

    • (#111) Fix the JSON serialization function of HTTP headers monitored by the agent that could fail depending on the header values. Note that the JSON serialization of the parent data structure safely catches any JSON injection attempt.

    Documentation

    Source code(tar.gz)
    Source code(zip)
  • v0.9.3(May 12, 2020)

    Fixes:

    • In-App WAF: update the library to latest v0.6.1 which fixes issues of WAF rules with multiple parameters: when one of them was missing, the rule didn't execute as expected (logical or instead of the logical and).

    • Agent-version reporting issue leading to a false message about the agent version on the dashboard.

    Source code(tar.gz)
    Source code(zip)
  • v0.9.1(Mar 30, 2020)

    Fixes

    • (#99) Fix mistakenly enforced HTTP status code 200 when Sqreen's middleware function is not the first in the request handling chain. This issue appeared when not adding Sqreen's middleware function as the root HTTP middleware.

    • (#100) Fix the monitoring of HTTP response codes mistakenly considered 200 when set by the request handlers.

    • (#101) Prevent starting the agent when the instrumentation tool and agent versions are not the same.

    Documentation

    • Add the wonderful Sqreen Gopher to the readme :tada:
    Source code(tar.gz)
    Source code(zip)
  • v0.9.0(Feb 19, 2020)

    This new major version says farewell to the beta and adds SQL-injection run time protection thanks to the first building blocks of RASP for the Go language! Thank you to everyone who helped us in this wonderful and amazing journey ;-)

    The Go agent has been protecting production servers for more than a year now and we reached the point where we are confident enough about its deployment, setup, but also its internals and specific integrations with the Go language and runtime.

    We are getting closer to the fully-featured agent v1.0 as we will now be able to fully add support for every RASP protection.

    Breaking Changes

    Because we now want a stable public API, find below the breaking changes:

    • The former separate agent package github.com/sqreen/go-agent/agent that was asked to import in order to start the agent is no longer required nor available. This is now performed by the middleware functions we provide in order to avoid the most common setup mistake during the beta where only the agent was setup and no middleware function was set to protect the requests (and therefore nothing was happening).

    • SDK: the user identification SDK method Identify() has been updated to be simpler to use and less error-prone by now making it return a non-nil error when the request handler shouldn't continue any further serving the request. It happens when a user security response has matched the identified user. This replaces the former separate SDK method MatchSecurityResponse().
      New usage example:

      sqUser := sq.ForUser(sdk.EventUserIdentifiersMap{"uid": "unique user id"})
      if err := sqUser.Identify(); err != nil {
        return
      }
      
    • The agent no longer starts if the program wasn't instrumented by using the instrumentation tool. See docs.sqreen.com/go/installation for details on how to install and use the tool. Note that the program is not aborted - only the agent is disabled.

    • Dropping gRPC support: the beta support for gRPC was experimental and was in the end too limited by Sqreen's focus on the HTTP protocol. Most of our protections are indeed designed for HTTP and couldn't be applied at the gRPC protocol level. We are therefore removing it until we can provide a correct experience for such HTTP-based protocol.
      Please contact us if you need any further information or if you are interested in helping us building it ([email protected]).

    New Features

    • SQL-injection RASP protection: when enabled on Sqreen's dashboard, the database/sql Go package gets automatically protected against SQL injections. SQL queries go through our SQL-injection detection which will abort the SQL function call and corresponding HTTP request when an attack is detected. Note that special care was taken to properly integrate with Go error-handling principles: when a SQL query gets blocked, the HTTP request context is canceled and a non-nil error is returned by the database/sql function call in order to fall into the existing error-handling flow. For example:

      // The following query can be injected. An error is returned when the SQL query was blocked.
      rows, err := db.QueryContext(ctx, "select id, name from users where id=" + unsafe)
      if err != nil {
        return err
      }
      

      Read more about Go integration details at http://docs.sqreen.com/go/integration.

    • Dashboard diagnostic messages: major setup issues are now also reported through Sqreen's dashboard page of running hosts to get notified about some downgraded states of the agent, such as:

      • The Go program is not instrumented so the agent didn't start.
      • The In-App WAF wasn't compiled (eg. CGO disabled) so it is unavailable and disabled.
      • The program dependencies couldn't be retrieved because the program was not compiled as a Go module. This is also shown by the dashboard when the list of dependencies is empty.
    Source code(tar.gz)
    Source code(zip)
  • v0.1.0-beta.10(Jan 24, 2020)

    The tag v0.1.0-rc.1 is also provided as a workaround for dependency management tools having issues to correctly handle tags beyond 9.

    Breaking Change

    • (#89) Go instrumentation: Sqreen's dynamic configuration of the protection of your Go programs is made possible at run time thanks to Go instrumentation. It is a building block of the upcoming run time self-protection (aka RASP) and it is safely performed at compilation time by an instrumentation tool that seamlessly integrates with the Go toolchain. To begin, only a specific set of Go packages are instrumented: the agent and database/sql (to prepare the upcoming SQL injection protection).

      Please, find out how to install and use the tool on the new agent installation documentation available at https://docs.sqreen.com/go/installation/.

    New Features

    • (#90) The SDK now imports the agent package to no longer have to import it in the main package. The SDK is indeed mandatory when setting up Sqreen for Go, making it the best place to import the agent.

    • (#91) The program dependencies are now sent to Sqreen to perform dependency analysis (outdated, vulnerable, etc.). They are only available when the Go program you compile is a Go module. Sqreen's dashboard Dependency page will be made available soon.

    Fix

    • (#92) Vendoring using go mod vendor could lead to compilation errors due to missing files.
    Source code(tar.gz)
    Source code(zip)
  • v0.1.0-beta.9(Dec 19, 2019)

    New Features

    • Request parameters such as query or post parameters are now added in the attack events and shown in the attack logs and in the event explorer pages of our dashboard. (#84)

    • PII scrubbing is now performed on every event sent to Sqreen, as documented on https://docs.sqreen.com/guides/how-sqreen-works/#pii-scrubbing. (#86)

    Fixes

    • Add PII scrubbing to the WAF logs that may include data from the request. (#87)

    Internal Changes

    • The In-App WAF has been intensively optimized so that large requests can no longer impact its execution time. (#83)
    Source code(tar.gz)
    Source code(zip)
  • v0.1.0-beta.8(Oct 15, 2019)

    Internal Changes

    • In-App WAF:
      • Dynamically set the WAF timeout (#79).
      • Ignore WAF timeout errors and add more context when reporting an error (#80).
      • Update the libsqreen to v0.4.0 to add support for the @pm operator.
    Source code(tar.gz)
    Source code(zip)
  • v0.1.0-beta.7(Sep 25, 2019)

    Breaking Changes

    • CGO bindings are now involved in the compilation of the agent and will require the gcc compiler and the C library headers. Note that compiling the agent without CGO (CGO_ENABLED=0) is still possible but will disable some agent features; in this case the new WAF feature described below.

    New Feature

    • Add support for the In-App WAF: an out-of-the-box Web-Application Firewall leveraging the full application context, that is fail-safe, has limited false positives and won’t require heavy fine-tuning. Only darwin/amd64 and linux/amd64 targets are supported so far. Any other target will get this feature disabled. More targets will be added in future versions. (#77)

    Minor Change

    • Increase the internal timeout value of the HTTP client to Sqreen's backend in order to be more resilient to normal networking delays.

    Fix

    • Fix a compilation error on 32-bit target architectures.
    Source code(tar.gz)
    Source code(zip)
  • v0.1.0-beta.6(Jul 25, 2019)

    New Features

    • Fully-featured playbooks with the added ability into the agent to redirect the request to a given URL. (#72)

    • Configurable protection behaviour of the agent when blocking a request by either customizing the HTTP status code that is used for the blocking HTML page, or by redirecting to a given URL instead.
      Dashboard page: https://my.sqreen.com/application/goto/settings/global#protection-mode

    • HTTP response status code monitoring. (#75)
      Dashboard page: https://my.sqreen.com/application/goto/monitoring

    • Support for browser security headers protection modules allowing to enable various browser security options allowing to restrict modern browsers from running into some preventable vulnerabilities:

      • Content Security Policy protection module allowing to prevent cross-site scripting attacks. (#74)
        Dashboard page: https://my.sqreen.com/application/goto/modules/csp

      • Security headers protection module allowing to protect against client-side vulnerabilities in the browser. (#73)
        Dashboard page: https://my.sqreen.com/application/goto/modules/headers

    Minor Changes

    • Better agent configuration logs clearly stating where does the configuration come from (file in search path, enforced file or environment variables), along with the possibility to display the full settings using the debug log-level.
    Source code(tar.gz)
    Source code(zip)
  • v0.1.0-beta.5(Jun 14, 2019)

    New Features

    • Middleware functions, called interceptors, for gRPC over HTTP2. More details on how to use it at https://godoc.org/github.com/sqreen/go-agent/sdk/middleware/sqgrpc. (#23)

    • IP whitelist support to make the agent completely ignore requests whose IP addresses are whitelisted. Everything related to Sqreen, including events, will be ignored. (#69)

    • Agent fail-safe catching errors and panics in order to prevent the host Go app to fail. The fail-safe mechanism either tries to restart the agent or ultimately stops it. (#67)

    Minor Changes

    • Internal event batch improvements:
      • Increased batch buffer capacity from 60 to 6000 entries in order to be able to handle more events, sent by batches of 60 events per heartbeat.
      • Remove a bookkeeping goroutine and include its logic into the main event processing loop.
    Source code(tar.gz)
    Source code(zip)
  • v0.1.0-beta.4(Apr 16, 2019)

    This release adds the ability to block IP addresses or users into your Go web services by adding support for Security Automation according to your playbooks and their configured security responses.

    Note that redirecting users or IP addresses is not supported yet.

    New Feature

    • Security Automation:
      It is now possible to block IP addresses or users. When a playbook triggers, the agent is notified and gets the batch of security responses. They are asynchronously stored into data structures optimized for fast lookup and low memory usage. Middleware functions can thus perform fast lookups to block requests in a few microseconds in order to exit request handlers as fast as possible.

      • Blocking IP addresses:
        No changes are required to block IP addresses. Our middleware functions have been updated to block requests whose IP addresses match a security response. The request is aborted with HTTP status code 500 and Sqreen's default HTML information page.

      • Blocking users:
        Blocking users is performed by combining SDK methods Identify() and MatchSecurityResponse() in order to firstly associate a user to the current request, and secondly to check if it matches a security response. When a security response matches, the request handler and any related goroutines should be stopped as soon as possible.

        Usage example:

        uid := sdk.EventUserIdentifiersMap{"uid": "my-uid"}
        sqUser := sdk.FromContext(ctx).ForUser(uid)
        sqUser.Identify()
        if match, err := sqUser.MatchSecurityResponse(); match {
          // Return now to stop further handling the request and let Sqreen's
          // middleware apply the configured security response and abort the
          // request. The returned error may help aborting from sub-functions by
          // returning it to the callers when the Go error handling pattern is
          // used.
          return err
        }
        

        We strongly recommend to create a user-authentication middleware function in order to seamlessly integrate user-blocking to all your user-authenticated endpoints.

    Fix

    • Escape the event type name to avoid JSON marshaling error. Note that this case could not happen in previous agent versions. (#52)

    Minor Change

    • Avoid performing multiple times commands within the same command batch. (51)
    Source code(tar.gz)
    Source code(zip)
  • v0.1.0-beta.3(Mar 22, 2019)

    New Features

    • Get the client IP address out of the HAProxy header X-Unique-Id using the new configuration variable ip_header_format. (#41)

    • New configuration option strip_http_referer/SQREEN_STRIP_HTTP_REFERER allowing to avoid sending the Referer HTTP header to the Sqreen backend when it contains sensitive data. (#36)

    • Ability to disable/enable the agent through the dashboard settings using the Sqreen status button. (#29)

    Breaking Changes

    • The agent package github.com/sqreen/go-agent/agent is no longer imported by github.com/sqreen/go-agent/sdk. It now needs to be explicitly imported to be included in your Go service.

    • Agent internals are now under a private Go package and can no longer be imported. Any sub-package under github.com/sqreen/go-agent/agent was not supposed to be imported and is now private to avoid future confusions. (#27)

    Fixes

    • Remove duplicate User-Agent entry sent twice in the request record. (#42)

    • Fix IPv4 and IPv6 matching against private network definitions. (#38)

    • Remove useless empty request records mistakenly created while not carrying any SDK observation. (#38)

    Minor Changes

    • Better memory management and footprint when the agent is disabled by removing globals. This will be also required to be able to cleanly restart the agent by self-managing the initializations. (#28)
    Source code(tar.gz)
    Source code(zip)
  • v0.1.0-beta.2(Feb 14, 2019)

  • v0.1.0-beta.1(Feb 7, 2019)

    This version is a new major version towards the v0.1.0 as it proposes a new and stable SDK API, that now will only be updated upon user feedback. So please, share your impressions with us.

    New Features

    • New web framework middleware support:

      • Standard Go's net/http package (#21).
      • Echo (#19).
    • Multiple custom events can now be easily associated to a user using the user-scoped methods under ForUser(). For example, to send two custom events for a given user, do:

      sqUser := sqreen.ForUser(uid)
      sqUser.TrackEvent("my.event.one")
      sqUser.TrackEvent("my.event.two")
      
    • The configuration file can now be stored into multiple locations, the current working directory or the executable one, or enforced using the new configuration environment variable SQREEN_CONFIG_FILE (#25).

    • The custom client IP header configured in SCREEN_IP_HEADER is now also sent to Sqreen so that it can better understand what IP headers were considered by the agent to determine what is the actual client IP address (67e2d4cbf9b883e9e91e1a5d9e53348a18c1b900).

    Breaking Changes

    • Stable SDK API of "Sqreen for Go":

      • Avoid name conflicts with framework packages by prefixing Sqreen's middleware packages with sq. For example, gin becomes sqgin (#17).

      • Cleaner Go documentation now entirely included in the SDK and middleware packages Go documentations. So no more need to go inside the agent documentation to know more on some SDK methods, it is now all documented in the same place, with lot of examples.

      • Clearer SDK API: The flow of security events that can send to Sqreen is now well-defined by a tree of SDK methods that can only be used the right way. (#18, #24)

        • The SDK handle getter function name is renamed from GetHTTPRequestContext() into a simpler FromContext().

        • User-related SDK methods are now provided by ForUser(), for example:

          sqreen.TrackAuth(true, uid)
          

          becomes

          sqreen.ForUser(uid).TrackAuthSuccess()
          
    Source code(tar.gz)
    Source code(zip)
  • v0.1.0-alpha.5(Jan 24, 2019)

    New features

    • sdk: user-related security events: - ability to associate a user to an event using WithUserIdentifier() (#13). - track user creation using TrackSignup() (#15). - track user authentication using TrackAuth() (#15).

    • agent/backend: take into account {HTTPS,HTTP,NO}_PROXY environment variables (and their lowercase alternatives) (#14).

    • agent/backend: share the organization token for all your apps (#12).

    Fixes

    • agent/config: avoid conflicts with global viper configs (#16).
    • sdk: better documentation with examples.
    Source code(tar.gz)
    Source code(zip)
Owner
Sqreen
Sqreen is a security platform protecting web applications
Sqreen
Web-Security-Academy - Web Security Academy, developed in GO

Web-Security-Academy - Web Security Academy, developed in GO

Xavier Llauca 1 Feb 23, 2022
A tool for secrets management, encryption as a service, and privileged access management

Vault Please note: We take Vault's security and our users' trust very seriously. If you believe you have found a security issue in Vault, please respo

HashiCorp 26.7k Jan 2, 2023
Cossack Labs 1.1k Dec 28, 2022
HTTP middleware for Go that facilitates some quick security wins.

Secure Secure is an HTTP middleware for Go that facilitates some quick security wins. It's a standard net/http Handler, and can be used with many fram

Cory Jacobsen 2.1k Jan 3, 2023
Gryffin is a large scale web security scanning platform.

Gryffin (beta) Gryffin is a large scale web security scanning platform. It is not yet another scanner. It was written to solve two specific problems w

Yahoo 2.1k Dec 27, 2022
set of web security test cases and a toolkit to construct new ones

Webseclab Webseclab contains a sample set of web security test cases and a toolkit to construct new ones. It can be used for testing security scanners

Yahoo 916 Jan 7, 2023
PHP security vulnerabilities checker

Local PHP Security Checker The Local PHP Security Checker is a command line tool that checks if your PHP application depends on PHP packages with know

Fabien Potencier 989 Jan 3, 2023
Tracee: Linux Runtime Security and Forensics using eBPF

Tracee is a Runtime Security and forensics tool for Linux. It is using Linux eBPF technology to trace your system and applications at runtime, and analyze collected events to detect suspicious behavioral patterns.

Aqua Security 2.4k Jan 5, 2023
A scalable overlay networking tool with a focus on performance, simplicity and security

What is Nebula? Nebula is a scalable overlay networking tool with a focus on performance, simplicity and security. It lets you seamlessly connect comp

Slack 11k Dec 29, 2022
How to systematically secure anything: a repository about security engineering

How to Secure Anything Security engineering is the discipline of building secure systems. Its lessons are not just applicable to computer security. In

Veeral Patel 9.5k Jan 5, 2023
Convenience of containers, security of virtual machines

Convenience of containers, security of virtual machines With firebuild, you can build and deploy secure VMs directly from Dockerfiles and Docker image

null 65 Dec 28, 2022
MQTT安全测试工具 (MQTT Security Tools)

███╗ ███╗ ██████╗ ████████╗████████╗███████╗ ████╗ ████║██╔═══██╗╚══██╔══╝╚══██╔══╝██╔════╝ ██╔████╔██║██║ ██║ ██║ ██║ ███████╗ ██║╚██╔╝█

null 29 Dec 21, 2022
gosec - Golang Security Checker

Inspects source code for security problems by scanning the Go AST.

Secure Go 6.5k Jan 2, 2023
GoPhish by default tips your hand to defenders and security solutions. T

GoPhish by default tips your hand to defenders and security solutions. The container here strips those indicators and makes other changes to hopefully evade detection during operations.

null 106 Jan 4, 2023
Go binary that finds .EXEs and .DLLs on the system that don't have security controls enabled

Go Hunt Weak PEs Go binary that finds .EXEs and .DLLs on the system that don't have security controls enabled (ASLR, DEP, CFG etc). Usage $ ./go-hunt-

m0rv4i 13 Oct 28, 2021
One Time Passwords (OTPs) are an mechanism to improve security over passwords alone.

otp: One Time Password utilities Go / Golang Why One Time Passwords? One Time Passwords (OTPs) are an mechanism to improve security over passwords alo

Paul Querna 1.6k Jan 7, 2023
a collection of security projects

security projects A collection of security projects that I worked on from UC Berkeley's security course (cs 161) taught by Nick Weaver. Project 1 (Exp

Danny Halawi 0 Nov 8, 2021
firedrill is a malware simulation harness for evaluating your security controls

firedrill ?? Malware simulation harness. Build native binaries for Windows, Linux and Mac simulating malicious behaviours. Test the effectiveness of y

FourCore Labs 83 Dec 22, 2022
A scanner for running security-related configuration checks such as CIS benchmarks

Localtoast Localtoast is a scanner for running security-related configuration checks such as CIS benchmarks in an easily configurable manner. The scan

Google 31 Dec 15, 2022