gengo is a test-data generator, not a security tool. It is built on
math/rand/v2, a fast pseudo-random number
generator whose output is predictable and must not be relied upon for
any security-sensitive purpose.
Do not use gengo to generate:
- Passwords or passphrases
- API tokens, session IDs, or CSRF tokens
- Encryption keys, salts, nonces, or initialization vectors
- Password-reset tokens or any other secret
For all of the above, use Go's standard
crypto/rand package, which provides a
cryptographically secure random source.
Security fixes are applied to the latest released version only. Please upgrade to the most recent release before reporting an issue.
| Version | Supported |
|---|---|
| 0.0.27 | ✅ |
| < 0.0.27 | ❌ |
If you discover a security vulnerability in gengo, please report it privately so it can be addressed before public disclosure.
Use GitHub's private vulnerability reporting:
- Open the repository's Security tab.
- Click "Report a vulnerability" to start a private security advisory.
- Describe the issue, including steps to reproduce and the affected version(s).
Please do not open a public issue for security reports.
Reports will be acknowledged within a reasonable timeframe, and you will be kept informed of the progress toward a fix and release.
Note: Because gengo is intentionally non-cryptographic (see above), the predictability of its
math/rand/v2-based output is by design and is not considered a vulnerability. Reports should concern genuine security defects — for example, memory-safety issues or behavior that could compromise a consuming application.