2016-08-05 17:54:29 +01:00
2018-10-05 10:57:14 +01:00
# gosec - Golang Security Checker
2016-07-20 11:02:01 +01:00
Inspects source code for security problems by scanning the Go AST.
2018-09-25 10:44:53 +01:00
< img src = "https://securego.io/img/gosec.png" width = "320" >
2018-10-05 10:57:14 +01:00
## License
2016-08-28 19:09:52 +01:00
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License [here ](http://www.apache.org/licenses/LICENSE-2.0 ).
2018-10-05 10:57:14 +01:00
## Project status
2016-07-25 17:51:19 +01:00
2018-07-19 17:46:26 +01:00
[](https://travis-ci.org/securego/gosec)
2018-12-11 17:15:58 +00:00
[](https://codecov.io/gh/securego/gosec)
2019-02-13 10:27:11 +00:00
[](https://goreportcard.com/badge/github.com/securego/gosec)
2018-07-19 17:46:26 +01:00
[](https://godoc.org/github.com/securego/gosec)
2019-02-13 10:27:11 +00:00
[](https://securego.io/)
[](https://github.com/securego/gosec/releases)
[](https://hub.docker.com/r/securego/gosec/tags)
2018-07-20 00:23:46 +01:00
[](http://securego.herokuapp.com)
2018-07-20 00:22:43 +01:00
2018-10-05 10:57:14 +01:00
## Install
### CI Installation
```bash
# binary will be $GOPATH/bin/gosec
curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s -- -b $GOPATH/bin vX.Y.Z
2016-07-25 17:51:19 +01:00
2018-10-05 10:57:14 +01:00
# or install it into ./bin/
curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s vX.Y.Z
# In alpine linux (as it does not come with curl by default)
wget -O - -q https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s vX.Y.Z
2019-06-06 09:49:58 +01:00
# If you want to use the checksums provided on the "Releases" page
# then you will have to download a tar.gz file for your operating system instead of a binary file
wget https://github.com/securego/gosec/releases/download/vX.Y.Z/gosec_vX.Y.Z_OS.tar.gz
# The file will be in the current folder where you run the command
# and you can check the checksum like this
echo "< check sum from the check sum file > gosec_vX.Y.Z_OS.tar.gz" | sha256sum -c -
2018-10-05 10:57:14 +01:00
gosec --help
```
### Local Installation
2018-01-11 01:31:08 +00:00
2019-05-02 08:19:18 +01:00
```bash
go get github.com/securego/gosec/cmd/gosec
```
2018-01-11 01:31:08 +00:00
2018-10-05 10:57:14 +01:00
## Usage
2016-07-20 11:02:01 +01:00
2018-07-19 17:46:26 +01:00
Gosec can be configured to only run a subset of rules, to exclude certain file
2016-07-20 11:02:01 +01:00
paths, and produce reports in different formats. By default all rules will be
run against the supplied input files. To recursively scan from the current
directory you can supply './...' as the input argument.
2018-10-05 10:57:14 +01:00
### Selecting rules
2016-07-20 11:02:01 +01:00
2018-07-19 17:46:26 +01:00
By default gosec will run all rules against the supplied file paths. It is however possible to select a subset of rules to run via the '-include=' flag,
2016-08-28 19:07:28 +01:00
or to specify a set of rules to explicitly exclude using the '-exclude=' flag.
2016-07-20 11:02:01 +01:00
2018-10-05 10:57:14 +01:00
### Available rules
- G101: Look for hard coded credentials
- G102: Bind to all interfaces
- G103: Audit the use of unsafe block
- G104: Audit errors not checked
- G105: Audit the use of math/big.Int.Exp
- G106: Audit the use of ssh.InsecureIgnoreHostKey
- G107: Url provided to HTTP request as taint input
- G201: SQL query construction using format string
- G202: SQL query construction using string concatenation
- G203: Use of unescaped data in HTML templates
- G204: Audit use of command execution
- G301: Poor file permissions used when creating a directory
- G302: Poor file permissions used with chmod
- G303: Creating tempfile using a predictable path
- G304: File path provided as taint input
- G305: File traversal when extracting zip archive
- G401: Detect the usage of DES, RC4, MD5 or SHA1
- G402: Look for bad TLS connection settings
- G403: Ensure minimum RSA key length of 2048 bits
- G404: Insecure random number source (rand)
- G501: Import blacklist: crypto/md5
- G502: Import blacklist: crypto/des
- G503: Import blacklist: crypto/rc4
- G504: Import blacklist: net/http/cgi
- G505: Import blacklist: crypto/sha1
```bash
2016-08-28 19:07:28 +01:00
# Run a specific set of rules
2018-07-19 17:46:26 +01:00
$ gosec -include=G101,G203,G401 ./...
2016-08-28 19:07:28 +01:00
# Run everything except for rule G303
2018-07-19 17:46:26 +01:00
$ gosec -exclude=G303 ./...
2016-07-20 11:02:01 +01:00
```
2019-01-14 11:43:12 +00:00
### Configuration
A number of global settings can be provided in a configuration file as follows:
```JSON
{
"global": {
"nosec": "enabled",
2019-01-22 14:25:14 +00:00
"audit": "enabled"
2019-01-14 11:43:12 +00:00
}
}
```
- `nosec` : this setting will overwrite all `#nosec` directives defined throughout the code base
2019-01-14 11:45:02 +00:00
- `audit` : runs in audit mode which enables addition checks that for normal code analysis might be too nosy
2019-01-14 11:43:12 +00:00
```bash
# Run with a global configuration file
2019-03-05 12:48:59 +00:00
$ gosec -conf config.json .
2019-01-14 11:43:12 +00:00
```
2019-06-25 10:26:28 +01:00
Also some rules accept configuration. For instance on rule `G104` , it is possible to define packages along with a list
of functions which will be skipped when auditing the not checked errors:
```JSON
{
"G104": {
"io/ioutil": ["WriteFile"]
}
}
```
2019-01-14 11:43:12 +00:00
2019-09-09 12:11:12 +01:00
### Dependencies
gosec will fetch automatically the dependencies of the code which is being analyzed when go modules are turned on (e.g.` GO111MODULE=on`). If this is not the case,
the dependencies need to be explicitly downloaded by running the `go get -d` command before the scan.
2019-09-09 13:01:36 +01:00
### Excluding test files and folders
2019-09-09 12:11:12 +01:00
2019-09-09 13:01:36 +01:00
gosec will ignore test files across all packages and any dependencies in your vendor directory.
2016-07-20 11:02:01 +01:00
2019-09-09 13:01:36 +01:00
The scanning of test files can be enabled with the following flag:
2019-04-28 18:39:43 +01:00
```bash
2019-09-09 13:01:36 +01:00
gosec -tests ./...
```
Also additional folders can be excluded as follows:
```bash
gosec -exclude-dir=rules -exclude-dir=cmd ./...
2019-04-28 18:39:43 +01:00
```
2016-07-20 11:02:01 +01:00
2018-10-05 10:57:14 +01:00
### Annotating code
2016-07-20 11:02:01 +01:00
2018-07-19 17:46:26 +01:00
As with all automated detection tools there will be cases of false positives. In cases where gosec reports a failure that has been manually verified as being safe it is possible to annotate the code with a '#nosec' comment.
2016-07-27 09:36:13 +01:00
2018-07-31 21:22:19 +01:00
The annotation causes gosec to stop processing any further nodes within the
2018-09-04 07:55:03 +01:00
AST so can apply to a whole block or more granularly to a single expression.
2016-07-20 11:02:01 +01:00
```go
import "md5" // #nosec
func main(){
2016-07-22 15:50:30 +01:00
/* #nosec */
2016-07-20 11:02:01 +01:00
if x > y {
h := md5.New() // this will also be ignored
}
}
```
2018-07-31 21:22:19 +01:00
When a specific false positive has been identified and verified as safe, you may wish to suppress only that single rule (or a specific set of rules) within a section of code, while continuing to scan for other problems. To do this, you can list the rule(s) to be suppressed within the `#nosec` annotation, e.g: `/* #nosec G401 */` or `// #nosec G201 G202 G203 `
2016-07-20 11:02:01 +01:00
In some cases you may also want to revisit places where #nosec annotations
2016-07-22 15:50:30 +01:00
have been used. To run the scanner and ignore any #nosec annotations you
can do the following:
2016-07-20 11:02:01 +01:00
2018-10-05 10:57:14 +01:00
```bash
gosec -nosec=true ./...
2016-07-20 11:02:01 +01:00
```
2018-10-05 10:57:14 +01:00
### Build tags
2018-04-20 00:45:04 +01:00
2018-07-19 17:46:26 +01:00
gosec is able to pass your [Go build tags ](https://golang.org/pkg/go/build/ ) to the analyzer.
2018-04-20 00:45:04 +01:00
They can be provided as a comma separated list as follows:
2018-10-05 10:57:14 +01:00
```bash
gosec -tag debug,ignore ./...
2018-04-20 00:45:04 +01:00
```
2016-07-20 11:02:01 +01:00
### Output formats
2019-03-11 20:40:03 +00:00
gosec currently supports text, json, yaml, csv, sonarqube and JUnit XML output formats. By default
2016-07-22 15:50:30 +01:00
results will be reported to stdout, but can also be written to an output
file. The output format is controlled by the '-fmt' flag, and the output file is controlled by the '-out' flag as follows:
2016-07-20 11:02:01 +01:00
2018-10-05 10:57:14 +01:00
```bash
2016-07-20 11:02:01 +01:00
# Write output in json format to results.json
2018-07-19 17:46:26 +01:00
$ gosec -fmt=json -out=results.json *.go
2016-07-20 11:02:01 +01:00
```
2017-08-03 18:50:58 +01:00
2018-10-05 10:57:14 +01:00
## Development
### Build
2018-03-12 22:57:10 +00:00
2018-10-05 10:57:14 +01:00
```bash
2018-03-12 22:57:10 +00:00
make
```
2018-10-05 10:57:14 +01:00
### Tests
2018-03-12 22:57:10 +00:00
2018-10-05 10:57:14 +01:00
```bash
2018-03-19 23:21:32 +00:00
make test
2018-03-12 22:57:10 +00:00
```
2018-10-05 10:57:14 +01:00
### Release Build
2018-03-12 22:57:10 +00:00
2018-07-27 13:41:45 +01:00
Make sure you have installed the [goreleaser ](https://github.com/goreleaser/goreleaser ) tool and then you can release gosec as follows:
2018-08-21 10:14:30 +01:00
2018-10-05 10:57:14 +01:00
```bash
2019-09-09 12:11:32 +01:00
git tag v1.0.0
2018-07-27 13:41:45 +01:00
export GITHUB_TOKEN=< YOUR GITHUB TOKEN >
make release
2018-08-21 10:14:30 +01:00
```
2018-03-12 22:57:10 +00:00
2018-07-27 13:41:45 +01:00
The released version of the tool is available in the `dist` folder. The build information should be displayed in the usage text.
2018-03-12 22:57:10 +00:00
2018-10-05 10:57:14 +01:00
```bash
2018-07-27 13:41:45 +01:00
./dist/darwin_amd64/gosec -h
2018-07-19 17:46:26 +01:00
gosec - Golang security checker
2018-03-12 22:57:10 +00:00
2018-07-19 17:46:26 +01:00
gosec analyzes Go source code to look for common programming mistakes that
2018-03-12 22:57:10 +00:00
can lead to security problems.
2018-07-27 13:41:45 +01:00
VERSION: 1.0.0
2019-09-09 12:11:32 +01:00
GIT TAG: v1.0.0
2018-07-27 13:41:45 +01:00
BUILD DATE: 2018-04-27T12:41:38Z
2018-03-12 22:57:10 +00:00
```
2018-07-27 13:41:45 +01:00
Note that all released archives are also uploaded to GitHub.
2018-10-05 10:57:14 +01:00
### Docker image
2018-03-12 22:57:10 +00:00
2018-08-15 08:58:26 +01:00
You can build the docker image as follows:
2018-03-12 22:57:10 +00:00
2018-10-05 10:57:14 +01:00
```bash
2018-07-27 13:41:45 +01:00
make image
2018-03-12 22:57:10 +00:00
```
2019-04-25 11:48:40 +01:00
You can run the `gosec` tool in a container against your local Go project. You just have to mount the project
into a volume as follow:
2018-03-12 22:57:10 +00:00
2018-10-05 10:57:14 +01:00
```bash
2019-04-25 11:48:40 +01:00
docker run -it -v < YOUR PROJECT PATH > /< PROJECT > :/< PROJECT > securego/gosec /< PROJECT > /...
2018-03-12 22:57:10 +00:00
```
2018-10-05 10:57:14 +01:00
### Generate TLS rule
2018-02-21 05:59:18 +00:00
The configuration of TLS rule can be generated from [Mozilla's TLS ciphers recommendation ](https://statics.tls.security.mozilla.org/server-side-tls-conf.json ).
First you need to install the generator tool:
2018-10-05 10:57:14 +01:00
```bash
2018-07-19 17:46:26 +01:00
go get github.com/securego/gosec/cmd/tlsconfig/...
2018-02-21 05:59:18 +00:00
```
You can invoke now the `go generate` in the root of the project:
2018-10-05 10:57:14 +01:00
```bash
2018-02-21 05:59:18 +00:00
go generate ./...
```
This will generate the `rules/tls_config.go` file with will contain the current ciphers recommendation from Mozilla.
