mirror of
https://github.com/securego/gosec.git
synced 2024-11-05 19:45:51 +00:00
Document #nosec use with a list of rules
Extend the readme to document the ability to prevent some, but not all, rules from being enforced within an AST node.
This commit is contained in:
parent
639987a295
commit
0d2e16dfa3
1 changed files with 4 additions and 2 deletions
|
@ -77,8 +77,8 @@ that are not considered build artifacts by the compiler (so test files).
|
|||
|
||||
As with all automated detection tools there will be cases of false positives. In cases where gosec reports a failure that has been manually verified as being safe it is possible to annotate the code with a '#nosec' comment.
|
||||
|
||||
The annotation causes gosec to stop processing any further nodes within the
|
||||
AST so can apply to a whole block or more granularly to a single expression.
|
||||
The annotation causes gosec to stop processing any further nodes within the
|
||||
AST so can apply to a whole block or more granularly to a single expression.
|
||||
|
||||
```go
|
||||
|
||||
|
@ -96,6 +96,8 @@ func main(){
|
|||
|
||||
```
|
||||
|
||||
When a specific false positive has been identified and verified as safe, you may wish to suppress only that single rule (or a specific set of rules) within a section of code, while continuing to scan for other problems. To do this, you can list the rule(s) to be suppressed within the `#nosec` annotation, e.g: `/* #nosec G401 */` or `// #nosec G201 G202 G203 `
|
||||
|
||||
In some cases you may also want to revisit places where #nosec annotations
|
||||
have been used. To run the scanner and ignore any #nosec annotations you
|
||||
can do the following:
|
||||
|
|
Loading…
Reference in a new issue