elastic / cloudbeat / 19178125395
76%
main: 76%

LAST BUILD BRANCH: gcp-sa-chain
DEFAULT BRANCH: main
Ran
Jobs 1
Files 226
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 75.959%. Remained the same
19178125395

push

github

web-flow 
Update Go to 1.24.9 to mitigate GHSA-gwrf-jf3h-w649 (CVE-2025-47906) (#3668)

### Summary of your changes

GHSA-gwrf-jf3h-w649 is a medium-severity vulnerability in
`os/exec.LookPath` where PATH entries containing executables (not
directories) combined with specific arguments (`""`, `"."`, `".."`) can
return unexpected binaries.

This PR updates Go from 1.24.7 to 1.24.9 following the same pattern as
PR #3607.

**Changes Made:**
- Updated Go from 1.24.7 to 1.24.9 in `go.mod` and `.go-version`
- Renamed `bin/.go-1.24.7.pkg` to `bin/.go-1.24.9.pkg` (hermit package)
- Updated `bin/go` and `bin/gofmt` symlinks to point to `.go-1.24.9.pkg`
- Updated `docs/version.asciidoc` with `:go-version: 1.24.9`
- No direct usage of `exec.LookPath` found in codebase
- Vulnerability exists in stdlib, affects all compiled binaries
regardless of direct usage

### Screenshot/Data

N/A - This is a Go version bump for security mitigation.

### Related Issues

- Related: GHSA-gwrf-jf3h-w649 (CVE-2025-47906)

### Checklist
- [ ] I have added tests that prove my fix is effective or that my
feature works
- [ ] I have added the necessary README/documentation (if appropriate)

#### Introducing a new rule?

- [ ] Generate rule metadata using [this
script](https://github.com/elastic/cloudbeat/tree/main/security-policies/dev#generate-rules-metadata)
- [ ] Add relevant unit tests
- [ ] Generate relevant rule templates using [this
script](https://github.com/elastic/cloudbeat/tree/main/security-policies/dev#generate-rule-templates),
and open a PR in
[elastic/packages/cloud_security_posture](https://github.com/elastic/integrations/tree/main/packages/cloud_security_posture)

<!-- START COPILOT CODING AGENT SUFFIX -->



<details>

<summary>Original prompt</summary>

> Check if repository impacted by GHSA-gwrf-jf3h-w649


</details>



<!-- START COPILOT CODING AGENT TIPS -->
---

✨ Let Copilot coding agent [set things up for
you](https://github.com/elastic/cloudbeat/issues/new?title=✨+Set+... (continued)

9166 of 12067 relevant lines covered (75.96%)

16.09 hits per line

Jobs
ID Job ID Ran Files Coverage
1 19178125395.1 226
75.96
 GitHub Action Run
Source Files on build 19178125395