www/content/blog/github-secure-fund.md
GoReleaser builds and ships release artifacts for thousands of projects, making it a high-value supply-chain target. That's why we were thrilled to be selected for the third session of the GitHub Secure Open Source Fund.
<!--more-->We joined a group with so many great projects that I feel bad trying to name just a few of them - so you should check the official announcement for the full list!
That said, in that session we did a lot of improvements in GoReleaser. Just to name a few:
Granted, we were already doing some things right, mostly thanks to the feedback of our amazing community. For instance, we had signing, SBOMs, and private vulnerability reports for a long time.
Still, there's always room for improvement!
One interesting thing I realized whilst talking with other maintainers is that Go has amazing tools for security.
For instance:
govulncheck is amazing as well, and every Go-based project
should run it as part of their pipeline.syft.While some projects had to use external dependencies or write custom software to do some of these things, with Go, it was really easy!
By the way, if you want to make your GoReleaser-powered project a bit more secure, check out this secure example repository: it is using many of the good practices learned during the session.
Security work is never really done. There's a long road ahead, but I feel like we are way more secure now than before.
If you are interested in security, or just want to help, I'm always available on the GoReleaser Discord - feel free to chime in there and let's chat. 🙏 GitHub discussions are also open.
Our greatest thanks to both the fund and the fund's partners for making this possible.