Philippe Lafoucrière · e6723699 · 6e7c0700 · 66ebc45a · 47b01a4c · 31761fde
--- a/doc/development/go_guide/index.md

+ 28

− 0
+++ b/doc/development/go_guide/index.md

+ 28

− 0
 @@ -30,6 +30,24 @@ Reviewers and maintainers should pay attention to:

 TODO: Give examples

+### Security
+
+Security is our top-priority at GitLab. During code reviews, we must take care
+of possible security breaches in our code:
+
+- XSS using text/template
+- CSRF Protection using Gorilla
+- Use a Go version without know vulnerabilities
+- Don't leak secret tokens
+- SQL injections
+
+Remember to run
+[SAST](https://docs.gitlab.com/ee/user/project/merge_requests/sast.html) on
+your project, or at least the [gosec
+analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/gosec).
+
+Web servers can take advantages of middlewares like https://github.com/unrolled/secure 
+
 ### Finding a reviewer

 Many of our projects are too small to have full-time maintainers. That's why we
 @@ -83,6 +101,16 @@ Modules](https://github.com/golang/go/wiki/Modules)". It provides a way to
 define and lock dependencies for reproducible builds. It should be used
 whenever possible.

+### ORM
+
+We don't use ORMs at GitLab (except ActiveRecord, in Ruby on Rails of course).
+Projects can be structured with services to avoid them.
+[PQ](https://github.com/lib/pq) should be enough to interact with PostgreSQL databases.
+
+### Migrations
+
+TODO: https://github.com/db-journey/journey?
+
 ## Testing

 We don't use any specific framework for testing, as the standard library