2016-08-05 17:54:29 +01:00
2023-10-23 09:31:50 +01:00
# gosec - Go Security Checker
2016-07-20 11:02:01 +01:00
2023-09-20 09:04:32 +01:00
Inspects source code for security problems by scanning the Go AST and SSA code representation.
2016-07-20 11:02:01 +01:00
2018-09-25 10:44:53 +01:00
< img src = "https://securego.io/img/gosec.png" width = "320" >
2018-10-05 10:57:14 +01:00
## License
2016-08-28 19:09:52 +01:00
2019-10-31 10:56:17 +00:00
Licensed under the Apache License, Version 2.0 (the "License").
You may not use this file except in compliance with the License.
2016-08-28 19:09:52 +01:00
You may obtain a copy of the License [here ](http://www.apache.org/licenses/LICENSE-2.0 ).
2018-10-05 10:57:14 +01:00
## Project status
2016-07-25 17:51:19 +01:00
2019-09-26 09:46:34 +01:00
[![CII Best Practices ](https://bestpractices.coreinfrastructure.org/projects/3218/badge )](https://bestpractices.coreinfrastructure.org/projects/3218)
2020-04-20 11:19:47 +01:00
[![Build Status ](https://github.com/securego/gosec/workflows/CI/badge.svg )](https://github.com/securego/gosec/actions?query=workflows%3ACI)
2018-12-11 17:15:58 +00:00
[![Coverage Status ](https://codecov.io/gh/securego/gosec/branch/master/graph/badge.svg )](https://codecov.io/gh/securego/gosec)
2021-05-07 17:04:01 +01:00
[![GoReport ](https://goreportcard.com/badge/github.com/securego/gosec )](https://goreportcard.com/report/github.com/securego/gosec)
2021-05-28 08:19:31 +01:00
[![GoDoc ](https://pkg.go.dev/badge/github.com/securego/gosec/v2 )](https://pkg.go.dev/github.com/securego/gosec/v2)
2019-02-13 10:27:11 +00:00
[![Docs ](https://readthedocs.org/projects/docs/badge/?version=latest )](https://securego.io/)
[![Downloads ](https://img.shields.io/github/downloads/securego/gosec/total.svg )](https://github.com/securego/gosec/releases)
[![Docker Pulls ](https://img.shields.io/docker/pulls/securego/gosec.svg )](https://hub.docker.com/r/securego/gosec/tags)
2022-12-12 11:20:22 +00:00
[![Slack ](https://img.shields.io/badge/Slack-4A154B?style=for-the-badge&logo=slack&logoColor=white )](http://securego.slack.com)
2018-07-20 00:22:43 +01:00
2018-10-05 10:57:14 +01:00
## Install
### CI Installation
```bash
2020-09-29 18:40:47 +01:00
# binary will be $(go env GOPATH)/bin/gosec
curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s -- -b $(go env GOPATH)/bin vX.Y.Z
2016-07-25 17:51:19 +01:00
2018-10-05 10:57:14 +01:00
# or install it into ./bin/
curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s vX.Y.Z
# In alpine linux (as it does not come with curl by default)
wget -O - -q https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s vX.Y.Z
2019-06-06 09:49:58 +01:00
# If you want to use the checksums provided on the "Releases" page
# then you will have to download a tar.gz file for your operating system instead of a binary file
wget https://github.com/securego/gosec/releases/download/vX.Y.Z/gosec_vX.Y.Z_OS.tar.gz
2020-06-29 12:21:15 +01:00
# The file will be in the current folder where you run the command
2019-06-06 09:49:58 +01:00
# and you can check the checksum like this
echo "< check sum from the check sum file > gosec_vX.Y.Z_OS.tar.gz" | sha256sum -c -
2018-10-05 10:57:14 +01:00
gosec --help
```
2021-05-07 15:54:34 +01:00
2020-04-06 17:13:28 +01:00
### GitHub Action
You can run `gosec` as a GitHub action as follows:
```yaml
name: Run Gosec
on:
push:
branches:
- master
pull_request:
branches:
- master
jobs:
tests:
runs-on: ubuntu-latest
env:
GO111MODULE: on
steps:
2020-06-29 12:21:15 +01:00
- name: Checkout Source
2023-04-13 09:23:06 +01:00
uses: actions/checkout@v3
2020-04-06 17:13:28 +01:00
- name: Run Gosec Security Scanner
uses: securego/gosec@master
with:
args: ./...
```
2018-10-05 10:57:14 +01:00
2021-01-22 10:13:52 +00:00
### Integrating with code scanning
You can [integrate third-party code analysis tools ](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/integrating-with-code-scanning ) with GitHub code scanning by uploading data as SARIF files.
The workflow shows an example of running the `gosec` as a step in a GitHub action workflow which outputs the `results.sarif` file. The workflow then uploads the `results.sarif` file to GitHub using the `upload-sarif` action.
```yaml
name: "Security Scan"
# Run workflow each time code is pushed to your repository and on a schedule.
# The scheduled workflow runs every at 00:00 on Sunday UTC time.
on:
push:
schedule:
- cron: '0 0 * * 0'
jobs:
tests:
runs-on: ubuntu-latest
env:
GO111MODULE: on
steps:
- name: Checkout Source
2023-04-13 09:23:06 +01:00
uses: actions/checkout@v3
2021-01-22 10:13:52 +00:00
- name: Run Gosec Security Scanner
uses: securego/gosec@master
with:
# we let the report trigger content trigger a failure using the GitHub Security features.
args: '-no-fail -fmt sarif -out results.sarif ./...'
- name: Upload SARIF file
2023-11-28 08:09:22 +00:00
uses: github/codeql-action/upload-sarif@v2
2021-01-22 10:13:52 +00:00
with:
# Path to SARIF file relative to the root of the repository
sarif_file: results.sarif
```
2018-10-05 10:57:14 +01:00
### Local Installation
2018-01-11 01:31:08 +00:00
2021-10-05 18:33:55 +01:00
```bash
go install github.com/securego/gosec/v2/cmd/gosec@latest
```
2018-10-05 10:57:14 +01:00
## Usage
2016-07-20 11:02:01 +01:00
2018-07-19 17:46:26 +01:00
Gosec can be configured to only run a subset of rules, to exclude certain file
2016-07-20 11:02:01 +01:00
paths, and produce reports in different formats. By default all rules will be
run against the supplied input files. To recursively scan from the current
2019-10-31 10:56:17 +00:00
directory you can supply `./...` as the input argument.
2016-07-20 11:02:01 +01:00
2018-10-05 10:57:14 +01:00
### Available rules
- G101: Look for hard coded credentials
- G102: Bind to all interfaces
- G103: Audit the use of unsafe block
- G104: Audit errors not checked
- G106: Audit the use of ssh.InsecureIgnoreHostKey
- G107: Url provided to HTTP request as taint input
2019-09-20 09:48:19 +01:00
- G108: Profiling endpoint automatically exposed on /debug/pprof
2020-01-06 08:55:52 +00:00
- G109: Potential Integer overflow made by strconv.Atoi result conversion to int16/32
2020-01-19 19:40:19 +00:00
- G110: Potential DoS vulnerability via decompression bomb
2022-03-06 09:58:47 +00:00
- G111: Potential directory traversal
2022-04-30 11:38:50 +01:00
- G112: Potential slowloris attack
2022-06-02 23:19:51 +01:00
- G113: Usage of Rat.SetString in math/big with an overflow (CVE-2022-23772)
2022-08-02 16:16:44 +01:00
- G114: Use of net/http serve function that has no support for setting timeouts
2024-05-27 11:57:12 +01:00
- G115: Potential integer overflow when converting between integer types
2018-10-05 10:57:14 +01:00
- G201: SQL query construction using format string
- G202: SQL query construction using string concatenation
- G203: Use of unescaped data in HTML templates
- G204: Audit use of command execution
- G301: Poor file permissions used when creating a directory
- G302: Poor file permissions used with chmod
- G303: Creating tempfile using a predictable path
- G304: File path provided as taint input
2020-08-02 16:09:02 +01:00
- G305: File traversal when extracting zip/tar archive
2020-02-28 11:48:18 +00:00
- G306: Poor file permissions used when writing to a new file
2023-10-05 11:59:17 +01:00
- G307: Poor file permissions used when creating a file with os.Create
2024-06-20 12:02:59 +01:00
- G401: Detect the usage of MD5 or SHA1
2018-10-05 10:57:14 +01:00
- G402: Look for bad TLS connection settings
- G403: Ensure minimum RSA key length of 2048 bits
- G404: Insecure random number source (rand)
2024-06-20 12:02:59 +01:00
- G405: Detect the usage of DES or RC4
2024-06-24 18:16:32 +01:00
- G406: Detect the usage of MD4 or RIPEMD160
2024-08-14 16:07:59 +01:00
- G407: Detect the usage of hardcoded Initialization Vector(IV)/Nonce
2020-06-29 12:21:15 +01:00
- G501: Import blocklist: crypto/md5
- G502: Import blocklist: crypto/des
- G503: Import blocklist: crypto/rc4
- G504: Import blocklist: net/http/cgi
- G505: Import blocklist: crypto/sha1
2024-06-24 18:16:32 +01:00
- G506: Import blocklist: golang.org/x/crypto/md4
- G507: Import blocklist: golang.org/x/crypto/ripemd160
2024-02-21 07:41:11 +00:00
- G601: Implicit memory aliasing of items from a range statement (only for Go 1.21 or lower)
2023-06-21 09:07:27 +01:00
- G602: Slice access out of bounds
2018-10-05 10:57:14 +01:00
2019-09-09 13:16:26 +01:00
### Retired rules
- G105: Audit the use of math/big.Int.Exp - [CVE is fixed ](https://github.com/golang/go/issues/15184 )
2023-02-24 13:04:13 +00:00
- G307: Deferring a method which returns an error - causing more inconvenience than fixing a security issue, despite the details from this [blog post ](https://www.joeshaw.org/dont-defer-close-on-writable-files/ )
2019-09-09 13:16:26 +01:00
### Selecting rules
2019-10-31 10:56:17 +00:00
By default, gosec will run all rules against the supplied file paths. It is however possible to select a subset of rules to run via the `-include=` flag,
or to specify a set of rules to explicitly exclude using the `-exclude=` flag.
2019-09-09 13:16:26 +01:00
2018-10-05 10:57:14 +01:00
```bash
2016-08-28 19:07:28 +01:00
# Run a specific set of rules
2018-07-19 17:46:26 +01:00
$ gosec -include=G101,G203,G401 ./...
2016-08-28 19:07:28 +01:00
# Run everything except for rule G303
2018-07-19 17:46:26 +01:00
$ gosec -exclude=G303 ./...
2016-07-20 11:02:01 +01:00
```
2021-05-07 15:54:34 +01:00
2019-10-31 10:56:17 +00:00
### CWE Mapping
2023-03-06 08:09:40 +00:00
Every issue detected by `gosec` is mapped to a [CWE (Common Weakness Enumeration) ](http://cwe.mitre.org/data/index.html ) which describes in more generic terms the vulnerability. The exact mapping can be found [here ](https://github.com/securego/gosec/blob/master/issue/issue.go#L50 ).
2016-07-20 11:02:01 +01:00
2019-01-14 11:43:12 +00:00
### Configuration
A number of global settings can be provided in a configuration file as follows:
```JSON
{
"global": {
"nosec": "enabled",
2019-01-22 14:25:14 +00:00
"audit": "enabled"
2019-01-14 11:43:12 +00:00
}
}
```
- `nosec` : this setting will overwrite all `#nosec` directives defined throughout the code base
2019-01-14 11:45:02 +00:00
- `audit` : runs in audit mode which enables addition checks that for normal code analysis might be too nosy
2019-01-14 11:43:12 +00:00
```bash
# Run with a global configuration file
2019-03-05 12:48:59 +00:00
$ gosec -conf config.json .
2019-01-14 11:43:12 +00:00
```
2021-05-07 15:54:34 +01:00
2024-12-17 08:40:45 +00:00
#### Rule Configuration
2019-06-25 10:26:28 +01:00
2024-12-17 08:40:45 +00:00
Some rules accept configuration flags as well; these flags are documented in [RULES.md ](https://github.com/securego/gosec/blob/master/RULES.md ).
2020-04-15 15:13:40 +01:00
2024-05-22 09:17:50 +01:00
#### Go version
Some rules require a specific Go version which is retrieved from the Go module file present in the project. If this version cannot be found, it will fallback to Go runtime version.
2024-05-24 15:00:01 +01:00
The Go module version is parsed using the `go list` command which in some cases might lead to performance degradation. In this situation, the go module version can be easily provided by setting the environment variable `GOSECGOVERSION=go1.21.1` .
2024-05-22 09:17:50 +01:00
2020-06-29 12:21:15 +01:00
### Dependencies
2019-09-09 12:11:12 +01:00
2021-05-07 15:54:34 +01:00
gosec will fetch automatically the dependencies of the code which is being analyzed when go module is turned on (e.g.`GO111MODULE=on`). If this is not the case,
2019-09-09 12:11:12 +01:00
the dependencies need to be explicitly downloaded by running the `go get -d` command before the scan.
2019-09-09 13:01:36 +01:00
### Excluding test files and folders
2019-09-09 12:11:12 +01:00
2020-06-29 12:21:15 +01:00
gosec will ignore test files across all packages and any dependencies in your vendor directory.
2016-07-20 11:02:01 +01:00
2019-09-09 13:01:36 +01:00
The scanning of test files can be enabled with the following flag:
2019-04-28 18:39:43 +01:00
```bash
2019-09-09 13:01:36 +01:00
gosec -tests ./...
```
Also additional folders can be excluded as follows:
```bash
gosec -exclude-dir=rules -exclude-dir=cmd ./...
2019-04-28 18:39:43 +01:00
```
2016-07-20 11:02:01 +01:00
2021-08-04 16:33:20 +01:00
### Excluding generated files
gosec can ignore generated go files with default generated code comment.
```
// Code generated by some generator DO NOT EDIT.
```
```bash
gosec -exclude-generated ./...
```
2024-08-12 11:52:41 +01:00
### Auto fixing vulnerabilities
gosec can suggest fixes based on AI recommendation. It will call an AI API to receive a suggestion for a security finding.
You can enable this feature by providing the following command line arguments:
- `ai-api-provider` : the name of the AI API provider, currently only `gemini` is supported.
2024-08-18 16:59:45 +01:00
- `ai-api-key` or set the environment variable `GOSEC_AI_API_KEY` : the key to access the AI API,
For gemini, you can create an API key following [these instructions ](https://ai.google.dev/gemini-api/docs/api-key ).
2024-08-12 11:52:41 +01:00
- `ai-endpoint` : the endpoint of the AI provider, this is optional argument.
```bash
gosec -ai-api-provider="gemini" -ai-api-key="your_key" ./...
```
2021-08-04 16:33:20 +01:00
2018-10-05 10:57:14 +01:00
### Annotating code
2016-07-20 11:02:01 +01:00
2023-10-18 10:43:10 +01:00
As with all automated detection tools, there will be cases of false positives.
In cases where gosec reports a failure that has been manually verified as being safe,
2021-12-09 10:53:36 +00:00
it is possible to annotate the code with a comment that starts with `#nosec` .
2023-10-18 10:43:10 +01:00
2021-12-09 10:53:36 +00:00
The `#nosec` comment should have the format `#nosec [RuleList] [-- Justification]` .
2016-07-27 09:36:13 +01:00
2023-10-18 10:43:10 +01:00
The `#nosec` comment needs to be placed on the line where the warning is reported.
2016-07-20 11:02:01 +01:00
```go
2023-10-18 10:43:10 +01:00
func main() {
tr := & http.Transport{
TLSClientConfig: & tls.Config{
InsecureSkipVerify: true, // #nosec G402
},
}
client := & http.Client{Transport: tr}
2024-12-16 14:18:51 +00:00
_, err := client.Get("https://go.dev/")
2023-10-18 10:43:10 +01:00
if err != nil {
fmt.Println(err)
}
2016-07-20 11:02:01 +01:00
}
```
2023-10-18 10:43:10 +01:00
When a specific false positive has been identified and verified as safe, you may
wish to suppress only that single rule (or a specific set of rules) within a section of code,
while continuing to scan for other problems. To do this, you can list the rule(s) to be suppressed within
2021-12-15 18:31:14 +00:00
the `#nosec` annotation, e.g: `/* #nosec G401 */` or `//#nosec G201 G202 G203`
2018-07-31 21:22:19 +01:00
2021-12-09 10:53:36 +00:00
You could put the description or justification text for the annotation. The
justification should be after the rule(s) to suppress and start with two or
2021-12-15 18:31:14 +00:00
more dashes, e.g: `//#nosec G101 G102 -- This is a false positive`
2021-12-09 10:53:36 +00:00
2019-10-31 10:56:17 +00:00
In some cases you may also want to revisit places where `#nosec` annotations
have been used. To run the scanner and ignore any `#nosec` annotations you
2016-07-22 15:50:30 +01:00
can do the following:
2016-07-20 11:02:01 +01:00
2018-10-05 10:57:14 +01:00
```bash
gosec -nosec=true ./...
2016-07-20 11:02:01 +01:00
```
2018-10-05 10:57:14 +01:00
2021-12-09 10:53:36 +00:00
### Tracking suppressions
As described above, we could suppress violations externally (using `-include` /
`-exclude` ) or inline (using `#nosec` annotations) in gosec. This suppression
inflammation can be used to generate corresponding signals for auditing
purposes.
We could track suppressions by the `-track-suppressions` flag as follows:
```bash
gosec -track-suppressions -exclude=G101 -fmt=sarif -out=results.sarif ./...
```
- For external suppressions, gosec records suppression info where `kind` is
`external` and `justification` is a certain sentence "Globally suppressed".
- For inline suppressions, gosec records suppression info where `kind` is
`inSource` and `justification` is the text after two or more dashes in the
comment.
**Note:** Only SARIF and JSON formats support tracking suppressions.
2018-10-05 10:57:14 +01:00
### Build tags
2018-04-20 00:45:04 +01:00
2024-12-16 14:18:51 +00:00
gosec is able to pass your [Go build tags ](https://pkg.go.dev/go/build/ ) to the analyzer.
2018-04-20 00:45:04 +01:00
They can be provided as a comma separated list as follows:
2018-10-05 10:57:14 +01:00
```bash
2021-08-16 10:29:35 +01:00
gosec -tags debug,ignore ./...
2018-04-20 00:45:04 +01:00
```
2016-07-20 11:02:01 +01:00
### Output formats
2020-04-09 12:01:40 +01:00
gosec currently supports `text` , `json` , `yaml` , `csv` , `sonarqube` , `JUnit XML` , `html` and `golint` output formats. By default
2016-07-22 15:50:30 +01:00
results will be reported to stdout, but can also be written to an output
2020-04-09 12:01:40 +01:00
file. The output format is controlled by the `-fmt` flag, and the output file is controlled by the `-out` flag as follows:
2016-07-20 11:02:01 +01:00
2018-10-05 10:57:14 +01:00
```bash
2016-07-20 11:02:01 +01:00
# Write output in json format to results.json
2018-07-19 17:46:26 +01:00
$ gosec -fmt=json -out=results.json *.go
2016-07-20 11:02:01 +01:00
```
2017-08-03 18:50:58 +01:00
2024-08-12 11:52:41 +01:00
Results will be reported to stdout as well as to the provided output file by `-stdout` flag. The `-verbose` flag overrides the
2021-05-10 09:44:55 +01:00
output format when stdout the results while saving them in the output file
```bash
# Write output in json format to results.json as well as stdout
$ gosec -fmt=json -out=results.json -stdout *.go
# Overrides the output format to 'text' when stdout the results, while writing it to results.json
$ gosec -fmt=json -out=results.json -stdout -verbose=text *.go
```
2021-02-11 13:19:46 +00:00
**Note:** gosec generates the [generic issue import format ](https://docs.sonarqube.org/latest/analysis/generic-issue/ ) for SonarQube, and a report has to be imported into SonarQube using `sonar.externalIssuesReportPaths=path/to/gosec-report.json` .
2021-02-11 11:10:44 +00:00
2018-10-05 10:57:14 +01:00
## Development
2024-12-16 09:38:51 +00:00
[CONTRIBUTING.md ](https://github.com/securego/gosec/blob/master/CONTRIBUTING.md ) contains detailed information about adding new rules to gosec.
2018-10-05 10:57:14 +01:00
### Build
2018-03-12 22:57:10 +00:00
2020-04-09 12:01:40 +01:00
You can build the binary with:
2021-05-07 15:54:34 +01:00
2018-10-05 10:57:14 +01:00
```bash
2018-03-12 22:57:10 +00:00
make
```
2021-05-05 17:54:32 +01:00
### Note on Sarif Types Generation
Install the tool with :
2021-05-07 15:54:34 +01:00
2021-05-05 17:54:32 +01:00
```bash
go get -u github.com/a-h/generate/cmd/schema-generate
```
Then generate the types with :
2021-05-07 15:54:34 +01:00
2021-05-05 17:54:32 +01:00
```bash
schema-generate -i sarif-schema-2.1.0.json -o mypath/types.go
```
2021-11-09 20:02:24 +00:00
Most of the MarshallJSON/UnmarshalJSON are removed except the one for PropertyBag which is handy to inline the additional properties. The rest can be removed.
2023-10-23 09:31:50 +01:00
The URI,ID, UUID, GUID were renamed so it fits the Go convention defined [here ](https://github.com/golang/lint/blob/master/lint.go#L700 )
2021-05-05 17:54:32 +01:00
2018-10-05 10:57:14 +01:00
### Tests
2018-03-12 22:57:10 +00:00
2020-04-09 12:01:40 +01:00
You can run all unit tests using:
2021-05-07 15:54:34 +01:00
2018-10-05 10:57:14 +01:00
```bash
2018-03-19 23:21:32 +00:00
make test
2018-03-12 22:57:10 +00:00
```
2020-04-09 12:01:40 +01:00
### Release
2018-03-12 22:57:10 +00:00
2020-04-09 12:01:40 +01:00
You can create a release by tagging the version as follows:
2018-08-21 10:14:30 +01:00
2020-04-09 12:01:40 +01:00
``` bash
git tag v1.0.0 -m "Release version v1.0.0"
git push origin v1.0.0
2018-03-12 22:57:10 +00:00
```
2020-04-09 12:01:40 +01:00
The GitHub [release workflow ](.github/workflows/release.yml ) triggers immediately after the tag is pushed upstream. This flow will
release the binaries using the [goreleaser ](https://goreleaser.com/actions/ ) action and then it will build and publish the docker image into Docker Hub.
2018-07-27 13:41:45 +01:00
2024-08-12 11:52:41 +01:00
The released artifacts are signed using [cosign ](https://docs.sigstore.dev/ ). You can use the public key from [cosign.pub ](cosign.pub )
2022-02-22 20:33:42 +00:00
file to verify the signature of docker image and binaries files.
The docker image signature can be verified with the following command:
```
cosign verify --key cosign.pub securego/gosec:< TAG >
```
2024-08-12 11:52:41 +01:00
2022-02-22 20:33:42 +00:00
The binary files signature can be verified with the following command:
```
cosign verify-blob --key cosign.pub --signature gosec_< VERSION > _darwin_amd64.tar.gz.sig gosec_< VERSION > _darwin_amd64.tar.gz
```
2018-10-05 10:57:14 +01:00
### Docker image
2018-03-12 22:57:10 +00:00
2020-04-09 12:01:40 +01:00
You can also build locally the docker image by using the command:
2018-03-12 22:57:10 +00:00
2018-10-05 10:57:14 +01:00
```bash
2018-07-27 13:41:45 +01:00
make image
2018-03-12 22:57:10 +00:00
```
2020-06-29 12:21:15 +01:00
You can run the `gosec` tool in a container against your local Go project. You only have to mount the project
2019-10-31 10:56:17 +00:00
into a volume as follows:
2018-03-12 22:57:10 +00:00
2018-10-05 10:57:14 +01:00
```bash
2020-08-31 10:14:04 +01:00
docker run --rm -it -w /< PROJECT > / -v < YOUR PROJECT PATH > /< PROJECT > :/< PROJECT > securego/gosec /< PROJECT > /...
2018-03-12 22:57:10 +00:00
```
2021-05-07 15:54:34 +01:00
**Note:** the current working directory needs to be set with `-w` option in order to get successfully resolved the dependencies from go module file
2018-03-12 22:57:10 +00:00
2018-10-05 10:57:14 +01:00
### Generate TLS rule
2018-02-21 05:59:18 +00:00
The configuration of TLS rule can be generated from [Mozilla's TLS ciphers recommendation ](https://statics.tls.security.mozilla.org/server-side-tls-conf.json ).
First you need to install the generator tool:
2018-10-05 10:57:14 +01:00
```bash
2020-09-02 09:41:50 +01:00
go get github.com/securego/gosec/v2/cmd/tlsconfig/...
2018-02-21 05:59:18 +00:00
```
You can invoke now the `go generate` in the root of the project:
2018-10-05 10:57:14 +01:00
```bash
2018-02-21 05:59:18 +00:00
go generate ./...
```
2019-10-31 10:56:17 +00:00
This will generate the `rules/tls_config.go` file which will contain the current ciphers recommendation from Mozilla.
2020-05-08 09:14:32 +01:00
## Who is using gosec?
2020-06-29 12:21:15 +01:00
This is a [list ](USERS.md ) with some of the gosec's users.
2021-12-15 19:10:40 +00:00
## Sponsors
Support this project by becoming a sponsor. Your logo will show up here with a link to your website
2022-02-22 20:33:42 +00:00
< a href = "https://github.com/mercedes-benz" target = "_blank" > < img src = "https://avatars.githubusercontent.com/u/34240465?s=80&v=4" > < / a >