Cobra Mascot Cobra

Cobra & Viper Fortify Security as Part of Inaugural GitHub Secure Open Source Fund

Published on August 11, 2025 by Steve Francia

We are thrilled to announce that Cobra and Viper were selected to be part of the prestigious inaugural cohort of the GitHub Secure Open Source Fund. As foundational libraries within the Go ecosystem, enhancing their security is paramount, and this initiative has provided us with an unparalleled opportunity to do just that.

You can read more about the program and the incredible projects that participated alongside us on the official GitHub Blog.

Representing our projects in this first-ever cohort were project creator Steve Francia, along with core maintainers John McBride and Márk Sági-Kazár. Over several weeks, they participated in an intensive program led by security experts from GitHub and the broader industry.

Our Experience in the Program

The program provided deep, hands-on training across a wide spectrum of security disciplines tailored for the unique challenges of open source projects. Key topics included:

  • Threat Modeling: Proactively identifying and mitigating potential security vulnerabilities in our architecture and code.
  • Secure Supply Chain: Implementing best practices for dependency management, build attestations, and generating Software Bills of Materials (SBOMs).
  • Incident Response: Developing a formal plan to effectively manage and communicate security events.
  • Advanced Tooling: Leveraging GitHub’s advanced security features like CodeQL, Dependabot, and secret scanning to their full potential.
  • Community Security: Best practices for managing community safety and handling private vulnerability disclosures.

The collaborative environment was one of the most valuable aspects. It was particularly gratifying to discover that over 10% of the 71 projects selected to be in the program rely on Cobra and/or Viper. We were honored to share this experience with maintainers from many of our user projects, including Ollama, Ente, Caddy, Flux, Colima, and ZITADEL. Getting to know these talented teams, we discovered just how much we all have in common, facing similar challenges and celebrating shared successes in the open source world.

Concrete Security Enhancements

Participation was not just about learning; it was about doing. We have already implemented several significant security improvements across both Cobra and Viper, with more to come:

  • Private Vulnerability Reporting: We have enabled GitHub’s private vulnerability reporting feature, allowing security researchers to disclose issues to us securely and discreetly.
  • Enhanced Code Scanning: We have integrated CodeQL into our continuous integration pipelines to automatically detect vulnerabilities and security weaknesses before they reach a release.
  • Hardened Build Process: Our build and release workflows now generate attestations using GitHub Attestations and include a Software Bill of Materials (SBOM) to provide full transparency into our dependencies.
  • Formal Incident Response Plan: We are finalizing a comprehensive Incident Response Plan (IRP) to ensure we are prepared to handle any future security incidents swiftly and responsibly.
  • Improved Dependency Management: We have refined our Dependabot configuration and implemented the dependency-review-action to better scrutinize updates and prevent the introduction of vulnerable or maliciously licensed dependencies.

Steve Francia, creator of Cobra and Viper, had this to say about the experience:

Being part of the first-ever GitHub Secure Open Source Fund cohort was an incredible honor. Cobra and Viper are foundational to so many applications in the Go ecosystem, and this program has provided us with the tools, knowledge, and resources to significantly advance our security posture. The lessons learned and the changes we’ve implemented will benefit every developer and organization that relies on our projects.

The Go Advantage: A Secure Foundation 🛡️

Throughout the program, as we discussed security challenges with maintainers from diverse language ecosystems, a key theme emerged: the incredible security foundation provided by the Go language and its toolchain. We are immensely grateful to the Go team at Google for their foresight. Many complex security concerns that other projects grapple with are elegantly handled “for free” in Go.

This built-in security posture allows us to focus on application-level logic, knowing that the foundation is solid. Some of the features we benefit from include:

  • Memory Safety: Go’s design prevents entire classes of bugs like buffer overflows and dangling pointers that plague other systems languages.
  • Secure Supply Chain: With the Go Modules proxy and checksum database, our dependency management is verifiable and resistant to many supply chain attacks.
  • Built-in Vulnerability Detection: The govulncheck tool is integrated into the Go toolchain, allowing us and our users to easily scan for known vulnerabilities.
  • Native Fuzz Testing: Fuzzing is a first-class citizen in Go’s standard tooling, making it straightforward to discover edge cases and security issues automatically.

Looking Forward

The work of security is never finished. We want to extend a massive thank you to GitHub and the fund’s corporate partners for this opportunity. The financial contribution provided by the fund will be invaluable in supporting the continued maintenance and security hardening of our projects.

Our participation in the GitHub Secure Open Source Fund marks a significant step forward in our commitment to providing secure, reliable, and robust tools for the Go community. We are excited to continue applying these lessons and collaborating with our peers to build a more secure open source ecosystem for everyone.