2016-08-05 18:54:29 +02:00
2018-07-19 18:46:26 +02:00
## gosec -Golang Security Checker
2016-07-20 12:02:01 +02:00
Inspects source code for security problems by scanning the Go AST.
2016-08-28 20:09:52 +02:00
### License
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License [here ](http://www.apache.org/licenses/LICENSE-2.0 ).
2016-07-25 18:51:19 +02:00
### Project status
2018-07-19 18:46:26 +02:00
[![Build Status ](https://travis-ci.org/securego/gosec.svg?branch=master )](https://travis-ci.org/securego/gosec)
[![GoDoc ](https://godoc.org/github.com/securego/gosec?status.svg )](https://godoc.org/github.com/securego/gosec)
2018-07-20 01:23:46 +02:00
[![Slack ](http://securego.herokuapp.com/badge.svg )](http://securego.herokuapp.com)
2018-07-20 01:22:43 +02:00
2016-07-25 18:51:19 +02:00
2018-01-11 03:31:08 +02:00
### Install
2018-07-19 18:46:26 +02:00
`$ go get github.com/securego/gosec/cmd/gosec/...`
2018-01-11 03:31:08 +02:00
2016-07-20 12:02:01 +02:00
### Usage
2018-07-19 18:46:26 +02:00
Gosec can be configured to only run a subset of rules, to exclude certain file
2016-07-20 12:02:01 +02:00
paths, and produce reports in different formats. By default all rules will be
run against the supplied input files. To recursively scan from the current
directory you can supply './...' as the input argument.
#### Selecting rules
2018-07-19 18:46:26 +02:00
By default gosec will run all rules against the supplied file paths. It is however possible to select a subset of rules to run via the '-include=' flag,
2016-08-28 20:07:28 +02:00
or to specify a set of rules to explicitly exclude using the '-exclude=' flag.
2016-07-20 12:02:01 +02:00
##### Available rules
2016-08-28 20:07:28 +02:00
- G101: Look for hardcoded credentials
- G102: Bind to all interfaces
- G103: Audit the use of unsafe block
- G104: Audit errors not checked
2017-04-10 19:40:27 +02:00
- G105: Audit the use of math/big.Int.Exp
2018-02-06 17:59:00 +02:00
- G106: Audit the use of ssh.InsecureIgnoreHostKey
2016-08-28 20:07:28 +02:00
- G201: SQL query construction using format string
- G202: SQL query construction using string concatenation
- G203: Use of unescaped data in HTML templates
- G204: Audit use of command execution
- G301: Poor file permissions used when creating a directory
- G302: Poor file permisions used with chmod
- G303: Creating tempfile using a predictable path
2018-03-09 01:23:27 +02:00
- G304: File path provided as taint input
2018-07-18 14:31:07 +02:00
- G305: File traversal when extracting zip archive
2016-08-28 20:07:28 +02:00
- G401: Detect the usage of DES, RC4, or MD5
- G402: Look for bad TLS connection settings
- G403: Ensure minimum RSA key length of 2048 bits
- G404: Insecure random number source (rand)
- G501: Import blacklist: crypto/md5
- G502: Import blacklist: crypto/des
- G503: Import blacklist: crypto/rc4
- G504: Import blacklist: net/http/cgi
2016-07-20 12:02:01 +02:00
```
2016-08-28 20:07:28 +02:00
# Run a specific set of rules
2018-07-19 18:46:26 +02:00
$ gosec -include=G101,G203,G401 ./...
2016-08-28 20:07:28 +02:00
# Run everything except for rule G303
2018-07-19 18:46:26 +02:00
$ gosec -exclude=G303 ./...
2016-07-20 12:02:01 +02:00
```
#### Excluding files:
2018-07-19 18:46:26 +02:00
gosec will ignore dependencies in your vendor directory any files
2017-12-13 08:35:54 +02:00
that are not considered build artifacts by the compiler (so test files).
2016-07-20 12:02:01 +02:00
#### Annotating code
2018-07-19 18:46:26 +02:00
As with all automated detection tools there will be cases of false positives. In cases where gosec reports a failure that has been manually verified as being safe it is possible to annotate the code with a '#nosec' comment.
2016-07-27 10:36:13 +02:00
2018-07-19 18:46:26 +02:00
The annotation causes gosec to stop processing any further nodes within the
2016-07-20 12:02:01 +02:00
AST so can apply to a whole block or more granularly to a single expression.
```go
import "md5" // #nosec
func main(){
2016-07-22 16:50:30 +02:00
/* #nosec */
2016-07-20 12:02:01 +02:00
if x > y {
h := md5.New() // this will also be ignored
}
}
```
In some cases you may also want to revisit places where #nosec annotations
2016-07-22 16:50:30 +02:00
have been used. To run the scanner and ignore any #nosec annotations you
can do the following:
2016-07-20 12:02:01 +02:00
```
2018-07-19 18:46:26 +02:00
$ gosec -nosec=true ./...
2016-07-20 12:02:01 +02:00
```
2018-04-20 01:45:04 +02:00
#### Build tags
2018-07-19 18:46:26 +02:00
gosec is able to pass your [Go build tags ](https://golang.org/pkg/go/build/ ) to the analyzer.
2018-04-20 01:45:04 +02:00
They can be provided as a comma separated list as follows:
```
2018-07-19 18:46:26 +02:00
$ gosec -tag debug,ignore ./...
2018-04-20 01:45:04 +02:00
```
2016-07-20 12:02:01 +02:00
### Output formats
2018-07-19 18:46:26 +02:00
gosec currently supports text, json, yaml, csv and JUnit XML output formats. By default
2016-07-22 16:50:30 +02:00
results will be reported to stdout, but can also be written to an output
file. The output format is controlled by the '-fmt' flag, and the output file is controlled by the '-out' flag as follows:
2016-07-20 12:02:01 +02:00
```
# Write output in json format to results.json
2018-07-19 18:46:26 +02:00
$ gosec -fmt=json -out=results.json *.go
2016-07-20 12:02:01 +02:00
```
2018-03-13 00:57:10 +02:00
### Development
2017-08-03 19:50:58 +02:00
2018-03-20 01:21:32 +02:00
#### Prerequisites
Install dep according to the instructions here: https://github.com/golang/dep
Install the latest version of golint: https://github.com/golang/lint
2018-03-13 00:57:10 +02:00
2018-03-20 01:21:32 +02:00
#### Build
2018-03-13 00:57:10 +02:00
```
make
```
#### Tests
```
2018-03-20 01:21:32 +02:00
make test
2018-03-13 00:57:10 +02:00
```
#### Release Build
2018-07-27 14:41:45 +02:00
Make sure you have installed the [goreleaser ](https://github.com/goreleaser/goreleaser ) tool and then you can release gosec as follows:
git tag 1.0.0
export GITHUB_TOKEN=< YOUR GITHUB TOKEN >
make release
2018-03-13 00:57:10 +02:00
2018-07-27 14:41:45 +02:00
The released version of the tool is available in the `dist` folder. The build information should be displayed in the usage text.
2018-03-13 00:57:10 +02:00
```
2018-07-27 14:41:45 +02:00
./dist/darwin_amd64/gosec -h
2018-07-19 18:46:26 +02:00
gosec - Golang security checker
2018-03-13 00:57:10 +02:00
2018-07-19 18:46:26 +02:00
gosec analyzes Go source code to look for common programming mistakes that
2018-03-13 00:57:10 +02:00
can lead to security problems.
2018-07-27 14:41:45 +02:00
VERSION: 1.0.0
GIT TAG: 1.0.0
BUILD DATE: 2018-04-27T12:41:38Z
2018-03-13 00:57:10 +02:00
```
2018-07-27 14:41:45 +02:00
Note that all released archives are also uploaded to GitHub.
2018-03-13 00:57:10 +02:00
#### Docker image
You can execute a release and build the docker image as follows:
```
2018-07-27 14:41:45 +02:00
git tag < VERSION >
export GITHUB_TOKEN=< Your GitHub token >
make image
2018-03-13 00:57:10 +02:00
```
2018-07-19 18:46:26 +02:00
Now you can run the gosec tool in a container against your local workspace:
2018-03-13 00:57:10 +02:00
```
2018-07-19 18:46:26 +02:00
docker run -it -v < YOUR LOCAL WORKSPACE > :/workspace gosec /workspace
2018-03-13 00:57:10 +02:00
```
#### Generate TLS rule
2018-02-21 07:59:18 +02:00
The configuration of TLS rule can be generated from [Mozilla's TLS ciphers recommendation ](https://statics.tls.security.mozilla.org/server-side-tls-conf.json ).
First you need to install the generator tool:
```
2018-07-19 18:46:26 +02:00
go get github.com/securego/gosec/cmd/tlsconfig/...
2018-02-21 07:59:18 +02:00
```
You can invoke now the `go generate` in the root of the project:
```
go generate ./...
```
This will generate the `rules/tls_config.go` file with will contain the current ciphers recommendation from Mozilla.