From 3cd0ebee96bda357ac92f81083d31ac887061dfe Mon Sep 17 00:00:00 2001
From: Cedric Staub <css@css.bio>
Date: Wed, 27 Jul 2016 22:51:34 -0700
Subject: [PATCH] Smarter hard-coded credentials check

Check right-hand side expr for literals when looking for hard-coded
credentials. This is to avoid issuing warnings for cases where a
password, token, etc. is read from a file or a terminal.
---
 rules/hardcoded_credentials.go | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/rules/hardcoded_credentials.go b/rules/hardcoded_credentials.go
index 99f4733..83c9f64 100644
--- a/rules/hardcoded_credentials.go
+++ b/rules/hardcoded_credentials.go
@@ -15,9 +15,10 @@
 package rules
 
 import (
-	gas "github.com/HewlettPackard/gas/core"
 	"go/ast"
 	"regexp"
+
+	gas "github.com/HewlettPackard/gas/core"
 )
 
 type CredsAssign struct {
@@ -30,8 +31,11 @@ func (r *CredsAssign) Match(n ast.Node, c *gas.Context) (gi *gas.Issue, err erro
 		for _, i := range node.Lhs {
 			if ident, ok := i.(*ast.Ident); ok {
 				if r.pattern.MatchString(ident.Name) {
-					gi = gas.NewIssue(c, n, r.What, r.Severity, r.Confidence)
-					break
+					for _, e := range node.Rhs {
+						if _, ok := e.(*ast.BasicLit); ok {
+							return gas.NewIssue(c, n, r.What, r.Severity, r.Confidence), nil
+						}
+					}
 				}
 			}
 		}