I’ve spent most of my career working in New York City. Every morning, I’d walk past those towering skyscrapers, genuinely amazed at what humans can build together. The engineering, the coordination, the trust required. It’s breathtaking.
What fascinates me most is the foundation. While everyone admires the gleaming towers, I think about the engineers who spent months planning what goes sixty feet underground. That invisible work makes everything else possible. No Instagram posts about foundation concrete. No TED talk talks about rebar placement.
In software, we build on similar foundations, and I’ve been incredibly fortunate to help create some of them.
An Honor and a Renewed Responsibility
When I learned that Cobra and Viper were selected for the inaugural GitHub Secure Open Source Fund, I felt a mix of profound gratitude and renewed responsibility.
These projects started over a dozen years ago. Cobra was born because no library existed in Go at the time that could enable the Hugo experience I had invisioned. Viper? I just wanted config management that didn’t make me question my career choices. I never imagined they’d become the foundation for projects like Kubernetes, Docker, Caddy, and the GitHub CLI.
The responsibility isn’t just an intellectual exercise, it’s real and troubling. When millions of production systems depend on your code, “YOLO-driven development” stops being funny real quick.
Learning from Shared Challenges
The Log4Shell vulnerability was a wake up call for all of us. The Log4j team, who graciously shared their experiences as part of this GitHub cohort, showed us how quickly a single vulnerability can become a global crisis.
Their openness taught me so much. We’re all vulnerable. We’re all doing our best with limited resources. And we all need to support each other better.
That’s what made this GitHub program so powerful: it was about learning together how to do better.
A Cohort of Collaboration
The GitHub program exceeded every expectation. We worked with tools like CodeQL and Dependabot, but more importantly, we worked with each other.
Being in the program with teams from Ollama, Caddy, Flux, Colima, Ente, and ZITADEL reminded me why I love open source.
We shared our struggles, our solutions, and our hopes. The Ollama team showed us how they handle AI model security. The Colima team shared their experiences with container security in a world where containers are the new VMs.
We weren’t competing, we were collaborating. Every improvement to one project strengthens the entire ecosystem. Your security is my security. We rise together.
Security Boot Camp, Not Security Theater
In a workshop titled “CodeQL from Zero to Hero,” we were instructed by GitHub’s leading security researcher. She didn’t just teach us theory but how to practially leverage CodeQL. After a few introductory exercises, she had the participants switch from a test database to a real one from an open source project she had previously analyzed.
She guided everyone in writing a data flow query from scratch. The goal was to find any place where user input (source) flowed into a dangerous command execution function (sink). After assembling the final query, the group ran it. The results lit up the screen, revealing 16 distinct command injection vulnerabilities.
The “aha” moment was seeing how they all stemmed from a popular machine learning framework called Gradio, which the query had identified as a source of user input. The instructor explained how she had previously modeled that framework in CodeQL, allowing her to find all these “variants” of the same vulnerability. It was a live demonstration of moving from learning a new skill to finding critical, real world security flaws in a matter of minutes. This wasn’t just a workshop; it was a masterclass in how to think like a security researcher. It was about building skills, not just checking boxes.
Building on a Strong Foundation
During my time leading the Go team at Google, I had the privilege of working with Rob Pike, Robert Griesemer, and Ken Thompson. They didn’t just create a language, they encoded decades of hard won wisdom about what goes wrong in systems programming.
The decisions we made: immutable strings, no pointer arithmetic, explicit error handling, integrated fuzzing and vulnerability scanning weren’t just technical choices. They were investments in the future security of every Go program. When I started Cobra and Viper, I wanted to build on that foundation. I wanted to create libraries that were not just powerful, but also secure by default. When I joined the Go team, I thought of this heavy responsibility as a privilege. I wanted to make sure that the tools we built would help developers avoid the pitfalls that had plagued so many other languages.
The Uncomfortable Economics of Open Source Security
I want to be transparent: maintaining critical open source infrastructure is challenging. I’ve been fortunate to have support from companies like Google, Docker, MongoDB, and Two Sigma throughout this journey.
But even with that support, security improvements often take a backseat. Why? Building new features is exciting. Users shout in celebration about new features (or riot over missing features). They only whisper about security… until something catastrophic happens.
The GitHub fund is a start to changing this dynamic. It’s recognition that this often invisible security work is essential infrastructure that deserves dedicated time and resources.
A Community Achievement
This recognition belongs to everyone who has contributed to Cobra and Viper. Every person who submitted a PR, reported an issue, or reviewed code late into the night; You made this possible.
I especially want to acknowledge the people who do the quiet, essential work: writing documentation, patiently answering questions, and creating examples that make concepts click. You are the heart of these projects.
This achievement is yours as much as ours.
Your Action Items (Yes, You)
If you use Cobra or Viper: Thank you for your trust. Update to the latest versions to get these improvements. We’re committed to maintaining this higher standard.
If you maintain open source: I encourage you to explore the security resources available through OpenSSF. The tools are accessible, and the community is supportive. We’re all learning together.
If your company depends on open source: Please consider how you might support the projects that form your foundation. Giving your employees time to contribute back is often the most valuable support you can offer.
The View From Here
Looking at where these projects are today fills me with gratitude. We built the foundation. The Go community reinforced it. And now, thanks to GitHub and this incredible cohort, we’ve done the seismic retrofitting to make sure it can handle whatever comes next.
To everyone who’s been part of this journey thank you.
Now if you’ll excuse me, I need to update some dependencies. Security never sleeps, but at least now it has better tooling.
P.S. - For a deep dive into the technical details, the Cobra team’s post has comprehensive notes. If you have questions, we genuinely want to hear them—that’s how we all improve.
P.P.S. - If you’re wondering about the impact: when you run kubectl, you’re using Cobra. When your services load configuration, they’re likely using Viper. We’re all connected in this dependency graph we call modern software. Thank you for being part of it.