Background: This recent article https://blog.trailofbits.com/2025/06/17/unexpected-security-footguns-in-gos-parsers/ describes (among other things) a number of security weaknesses in Go's encoding/json package. Some of these could be mitigated by better static checking of struct field tags; indeed, the author of the post links to two semgrep rules that enforce these checks. Specifically:
semgrep -c r/trailofbits.go.unmarshal-tag-is-dashsemgrep -c r/trailofbits.go.unmarshal-tag-is-omitempty
Proposal: Let's add these two checks to the structtag analyzer so that users get immediate feedback in their LSP-enabled editor, and whenever they run go vet.