diff --git a/README.md b/README.md index 6a539ae..951fd2a 100644 --- a/README.md +++ b/README.md @@ -15,15 +15,26 @@ By default Gas will run all rules against the supplied file paths. It is however ##### Available rules -- __crypto__ - Detects use of weak cryptography primatives -- __tls__ - Detects if TLS certificate verification is disabled -- __sql__ - SQL injection vectors -- __hardcoded__ - Potential hardcoded credentials -- __perms__ - Insecure file permissions +- __crypto__ - Detects use of weak cryptography primitives. +- __tls__ - Detects if TLS certificate verification is disabled. +- __sql__ - SQL injection vectors. +- __hardcoded__ - Potential hardcoded credentials. +- __perms__ - Insecure file permissions. - __tempfile__ - Insecure creation of temporary files -- __unsafe__- Detects use of the unsafe pointer functions -- __bind__- Listening on all network interfaces -- __rsa__- Weak RSA keys +- __unsafe__- Detects use of the unsafe pointer functions. +- __bind__- Listening on all network interfaces. +- __rsa__- Warns for RSA keys that are less than 2048 bits. +- __tls_good__ - Checks to ensure ciphers and protocol versions are +explicitly enabled to meet the [modern compatibility](https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility) standards recommended by Mozilla. +- __tls_ok__ - Checks to ensure ciphers and protocol versions are +explicitly enabled to meet the [intermediate compatibility]( https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29) standards recommended by Mozilla. +- __tls_old__ - Checks to ensure ciphers and protocol versions are +explicitly enabled to meet the [older compatibility](https://wiki.mozilla.org/Security/Server_Side_TLS#Old_compatibility_.28default.29) standards recommended by Mozilla. +- __templates__ - Detect cases where input is not escaped when entered into Go HTML templates. +- exec - Report cases where the application is executing an external process. +- __errors__ - Report error return values that are ignored. +- __httpoxy__ - Report on CGI usage as it may indicate vulnerability to the [httpoxy](https://httpoxy.org/) vulnerability. + ``` @@ -54,7 +65,7 @@ import "md5" // #nosec func main(){ - /* # nosec */ + /* #nosec */ if x > y { h := md5.New() // this will also be ignored } @@ -64,8 +75,8 @@ func main(){ ``` In some cases you may also want to revisit places where #nosec annotations -have been used. To run the scanner and ignore any #nosec annotations you can - do the following: +have been used. To run the scanner and ignore any #nosec annotations you +can do the following: ``` $ gas -nosec=true ./... @@ -73,10 +84,9 @@ $ gas -nosec=true ./... ### Output formats -Gas currently supports text, json and csv output formats. By default results -will be reported to stdout, but can also be written to an output file. The -output format is controlled by the '-fmt' flag, and the output file is -controlled by the '-out' flag as follows: +Gas currently supports text, json and csv output formats. By default +results will be reported to stdout, but can also be written to an output +file. The output format is controlled by the '-fmt' flag, and the output file is controlled by the '-out' flag as follows: ``` # Write output in json format to results.json