Go modules · proxy.golang.org

github.com/pomerium/sdk-go

Shell Credential File Read

Why PkgRadar flagged v0.0.10-0.20260624160035-ae998b440618

Severity	Signal	Evidence
high	Shell Credential File Read	github.com/pomerium/[email protected]/keystore.go
high	Shell Credential File Read	github.com/pomerium/[email protected]/sdk.go

Showing signal labels only. Sign in to view the exact matched indicators for each finding.

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`v0.0.10-0.20260624160035-ae998b440618`	High risk	90	2026-06-26
`v0.0.10-0.20260618132024-97aa680ed6d0`	Low risk	0	2026-06-20
`v0.0.10-0.20260617154115-ce1b2eb6ef15`	Low risk	0	2026-06-19
`v0.0.10-0.20260615144838-074b72a55886`	Low risk	0	2026-06-16
`v0.0.10-0.20260605161428-36780b9256af`	Low risk	0	2026-06-07
`v0.0.10-0.20260604170533-5879f2c5f272`	Low risk	0	2026-06-06
`v0.0.10-0.20260603164022-d7db6c321180`	Low risk	0	2026-06-04
`v0.0.10-0.20260602161730-b2e6266c8ea3`	Low risk	0	2026-06-03
`v0.0.10-0.20260529202441-a40da184d349`	Low risk	0	2026-05-30
`v0.0.10-0.20260529180111-bd8ff637cf6c`	Low risk	0	2026-05-30
`v0.0.10-0.20260528155818-e620bf0dec3e`	Low risk	0	2026-05-30
`v0.0.10-0.20260528002201-9836da22ebb5`	Low risk	0	2026-05-29

Block this in CI

PkgRadar gates github.com/pomerium/sdk-go (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem go github.com/pomerium/[email protected]