Update dependency securego/gosec to v2.24.7

[gardener-ci-robot]

This PR contains the following updates:

Package	Update	Change
securego/gosec	minor	v2.22.11 → v2.24.7

---

Release Notes

securego/gosec (securego/gosec)

v2.24.7

Compare Source

Changelog

• bb17e42 Ignore nosec comments in action integration workflow to generate some warnings (#​1573)
• e1502ad Add a workflow for action integration test (#​1571)
• f8691bd fix(sarif): avoid invalid null relationships in SARIF output (#​1569)
• ade1d0e chore: migrate gosec container image references to GHCR (#​1567)

v2.24.6

Compare Source

Changelog

• 88835e8 Update gorelease to use the latest cosign bundle argument (#​1565)

v2.24.0

Compare Source

Changelog

• 271492b fix: G704 false positive on const URL (#​1551)
• 1341aea fix(G705): eliminate false positive for non-HTTP io.Writer (#​1550)
• f2262c8 G120: avoid false positive when MaxBytesReader is applied in middleware (#​1547)
• 5b580c7 Fix G602 regression coverage for issue #​1545 and stabilize G117 TOML test dependency (#​1546)
• eba2d15 taint: skip context.Context arguments during taint propagation to fix false positives (#​1543)
• a6381c1 test: add missing rules to formatter report tests (#​1540)
• fea9725 chore(deps): update all dependencies (#​1541)
• f3e2fac Regenrate the TLS config rule (#​1539)
• 200461f Improve documentation (#​1538)
• 078a62a Expand analyzer-core test coverage for orchestration, go/analysis adapter logic, and taint integration (#​1537)
• ffdc620 Add unit tests for CLI orchestration, TLS config generation, and SSA cache behavior (#​1536)
• c13a486 Add G707 taint analyzer for SMTP command/header injection (#​1535)
• f61ed31 Add G123 analyzer for tls.VerifyPeerCertificate resumption bypass risk (#​1534)
• b568aa1 Add G122 SSA analyzer for filepath.Walk/WalkDir symlink TOCTOU race risks (#​1532)
• 1735e5a fix(G602): avoid false positives for range-over-array indexing (#​1531)
• caf93d0 Improve taint analyzer performance with shared SSA cache, parallel analyzer execution, and CI regression guard (#​1530)
• bd11fbe fix: taint analysis false positives with G703,G705 (#​1522)
• e34e8dd Extend the G117 rule to cover other types of serialization such as yaml/xml/toml (#​1529)
• b940702 Fix the G117 rule to take the JSON serialization into account (#​1528)
• 4f84627 (docs) fix justification format (#​1524)
• 36ba72b Add G121 analyzer for unsafe CORS bypass patterns in CrossOriginProtection (#​1521)
• 238f982 Add G120 SSA analyzer for unbounded form parsing in HTTP handlers (#​1520)
• 89cde27 Add G119 analyzer for unsafe redirect header propagation in CheckRedirect callbacks (#​1519)
• 14fdd9c Fix G115 false positives and negatives (Issue #​1501) (#​1518)
• cec54ec chore(deps): update all dependencies (#​1517)
• 2b2077e Add G118 SSA analyzer for context propagation failures that can cause goroutine/resource leaks (#​1516)
• a7666f3 Add G113: Detect HTTP Request Smuggling via conflicting headers (CVE-2025-22891, CWE-444) (#​1515)
• 47f8b52 Add G408: SSH PublicKeyCallback Authentication Bypass Analyzer (#​1513)
• 4f1f362 Add more unit tests to improve coverage (#​1512)
• 9344582 Improve test coverage in various areas (#​1511)
• 8d1b2c6 Imprve the test coverage (#​1510)
• 993c1c4 Fix incorrect detection of fixed iv in G407 (#​1509)
• 8668b74 Add support for go 1.26.x and removed support for go 1.24.x (#​1508)
• 514225c Fix the sonar report to follow the latest schema (#​1507)
• 000384e fix: broken taint analysis causing false positives (#​1506)
• 616192c fix: panic on float constants in overflow analyzer (#​1505)
• 79956a3 fix: panic when scanning multi-module repos from root (#​1504)
• 5736e8b fix: G602 false positive for array element access (#​1499)
• 1b7e1e9 Update gosec to version v2.23.0 in the Github action (#​1496)

v2.23.0

Compare Source

Changelog

• 398ad54 feat: Support for adding taint analysis engine (#​1486)
• 6eacd5c chore(deps): update all dependencies (#​1494)
• 181a7cb chore(deps): update all dependencies (#​1494)
• e2fa6ab chore(deps): update all dependencies (#​1488)
• eb252ba Fix G602 analyzer panic that kills gosec process (#​1491)
• 20d71a0 update go version to 1.25.7 (#​1492)
• a631af8 Fix URL regexp and remove redundant Google regex patterns (#​1485)
• 8968502 feat: implement global cache usage in rules (#​1480)
• 04f729c chore(deps): update module google.golang.org/genai to v1.43.0 (#​1484)
• ade0e8f refactor: optimize nosec parsing and reduce allocations (#​1478)
• d24bbf7 Fix SARIF artifactChanges null validation error (#​1483)
• 15cba7f feat: optimize GetCallInfo with per-package sync.Pool caching (#​1481)
• 5288673 feat: implement entropy pre-filtering to optimize secret detection (#​1479)
• d9a9bcd feat: ensure GoVersion is cached using sync.Once (#​1477)
• 516260a Fix #​1240: nosec comments now work with trailing open brackets (#​1475)
• be0fd6d Debug Build Profiling Support: Code improvement suggestions for PR#1471 (#​1476)
• b579523 Update the go version to 1.25.6 and 1.24.12 (#​1474)
• bd3c738 G115: Enhance RangeAnalyzer with constant propagation and chained arithmetic support (#​1470)
• 6897b36 chore(deps): update all dependencies (#​1473)
• 9f20212 feat: support path-based rule exclusions via exclude-rules (#​1465)
• 726d847 Optimize analyzer with parallel package processing (#​1466)
• 3150b28 feat: add goanalysis package for nogo (#​1449)
• 7284e15 Refactor Analyzers: Unify Range Logic & Optimize Allocations (#​1464)
• 7a4ccef Optimize G115, G602, G407 analyzers to reduce allocations and memory (#​1463)
• 833d791 refactor(g115): improve coverage (#​1462)
• 0cc9e01 Refine G407 to improve detection and coverage of hardcoded nonces (#​1460)
• 303f84d chore(deps): update all dependencies (#​1461)
• 7387d22 Refactor rules to use callListRule base structure (#​1458)
• 52f5dbf feat(slice): enhance slice bounds analysis with dynamic bounds handling (#​1457)
• 649e2c8 remove deprecated ast.Object (#​1455)
• 35a92b4 feat(sql): enhance SQL injection detection with improved string concatenation checks (#​1454)
• bc9d2bc feat(rules): enhance subprocess variable checks (#​1453)
• 8a5404e feat(resolve): enhance TryResolve to handle KeyValueExpr, IndexExpr, and SliceExpr (#​1452)
• 0f6f21c feat: add secrets serialization G117 (#​1451)
• 717706e feat(rules): add support for detecting high entropy strings in composite literals (#​1447)
• 082deb6 whitelist crypto/rand Read from error checks (#​1446)
• 095d529 chore(deps): update all dependencies (#​1443)
• c073629 Improve slice bound check (#​1442)
• 538a05c docs: add documentation for using gosec with private modules (#​1441)
• 2580437 chore(deps): update all dependencies (#​1440)
• 872b331 docs: add G116 rule description to README (#​1439)
• dcf93a8 Update GitHub action to gosec 2.22.11 (#​1438)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[gardener-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign petersutter for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[gardener-robot]

@holgerkoser, @grolu You have pull request review open invite, please check