Go Java v0.4.0 OWASP February 16, 2026

mycop v0.4.0: Go and Java Support — 200 Security Rules

We just shipped Go and Java support for mycop. 100 new security rules, bringing the total to 200 across five languages.

Languages

200

Security Rules

10/10

OWASP Top 10

What's new

mycop now scans Go and Java out of the box — same zero-config experience. Point it at your Go microservice or Spring Boot app and it works:

mycop scan ./my-go-service
mycop scan ./my-spring-app

50 Go rules (GO-SEC-001 through GO-SEC-050)

SQL injection via fmt.Sprintf and string concatenation
Command injection through exec.Command
InsecureSkipVerify: true — the #1 Go security mistake AI produces
Hardcoded secrets, credentials, and connection strings
Weak crypto (MD5, SHA1, DES, hardcoded IVs)
Unhandled errors, defer-in-loop, unsafe pointers
CGo injection, goroutine leaks, race conditions
Integer overflow, DNS rebinding, zip slip
Gin debug mode, gin trusted proxies, gRPC without TLS
SSRF, open redirects, CORS misconfiguration
JWT none algorithm, missing CSRF, mass assignment
Timing attacks, ReDoS, XXE, template injection

50 Java rules (JAVA-SEC-001 through JAVA-SEC-050)

SQL injection via Statement, Hibernate createQuery, Spring JdbcTemplate
Command injection through Runtime.exec()
XXE via DocumentBuilderFactory, insecure deserialization via ObjectInputStream
Weak crypto (MD5, SHA-1, DES, ECB mode, hardcoded IVs, insecure TLS)
Spring Security: CSRF disabled, permitAll, actuator exposed
Open redirects, CORS wildcard, header injection
LDAP injection, XPath injection
Expression language injection via ScriptEngine.eval()
Trust-all-certificates, weak password hashing, session fixation
Empty catch blocks, unsafe reflection, log injection
IDOR, zip slip, ReDoS
Template injection (Velocity/Freemarker/Thymeleaf), NoSQL injection

By the numbers

	v0.3	v0.4
Languages	3	5
Rules	100	200
OWASP Top 10	8/10	10/10

Every rule is tested

Both languages have comprehensive test fixtures that trigger all 50 rules each. CI asserts every rule ID fires — if a rule silently breaks, the build fails.

Upgrade

# Homebrew
brew upgrade mycop

# Cargo
cargo install mycop

# Install script
curl -fsSL https://raw.githubusercontent.com/AbdumajidRashidov/mycop/main/install.sh | sh

All existing commands, MCP integration, and CI workflows work with Go and Java automatically. No configuration changes needed.

Try it now

Scan your Go and Java projects for security vulnerabilities in seconds.

cargo install mycop && mycop scan . View on GitHub

mycop is MIT licensed and open source. Go and Java rules ship with the same binary — no additional installation required. See the full changelog for everything in v0.4.0.