Add CI Installation steps and correct markdown lint errors

This commit is contained in:
Kishan B 2018-10-05 15:27:14 +05:30
parent 8c09a83248
commit 97bc137c5b

View file

@ -1,42 +1,56 @@
# gosec - Golang Security Checker
## gosec -Golang Security Checker
Inspects source code for security problems by scanning the Go AST. Inspects source code for security problems by scanning the Go AST.
<img src="https://securego.io/img/gosec.png" width="320"> <img src="https://securego.io/img/gosec.png" width="320">
## License
### License
Licensed under the Apache License, Version 2.0 (the "License"); Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License. you may not use this file except in compliance with the License.
You may obtain a copy of the License [here](http://www.apache.org/licenses/LICENSE-2.0). You may obtain a copy of the License [here](http://www.apache.org/licenses/LICENSE-2.0).
### Project status ## Project status
[![Build Status](https://travis-ci.org/securego/gosec.svg?branch=master)](https://travis-ci.org/securego/gosec) [![Build Status](https://travis-ci.org/securego/gosec.svg?branch=master)](https://travis-ci.org/securego/gosec)
[![GoDoc](https://godoc.org/github.com/securego/gosec?status.svg)](https://godoc.org/github.com/securego/gosec) [![GoDoc](https://godoc.org/github.com/securego/gosec?status.svg)](https://godoc.org/github.com/securego/gosec)
[![Slack](http://securego.herokuapp.com/badge.svg)](http://securego.herokuapp.com) [![Slack](http://securego.herokuapp.com/badge.svg)](http://securego.herokuapp.com)
## Install
### Install ### CI Installation
```bash
# binary will be $GOPATH/bin/gosec
curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s -- -b $GOPATH/bin vX.Y.Z
# or install it into ./bin/
curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s vX.Y.Z
# In alpine linux (as it does not come with curl by default)
wget -O - -q https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s vX.Y.Z
gosec --help
```
### Local Installation
`$ go get github.com/securego/gosec/cmd/gosec/...` `$ go get github.com/securego/gosec/cmd/gosec/...`
### Usage ## Usage
Gosec can be configured to only run a subset of rules, to exclude certain file Gosec can be configured to only run a subset of rules, to exclude certain file
paths, and produce reports in different formats. By default all rules will be paths, and produce reports in different formats. By default all rules will be
run against the supplied input files. To recursively scan from the current run against the supplied input files. To recursively scan from the current
directory you can supply './...' as the input argument. directory you can supply './...' as the input argument.
#### Selecting rules ### Selecting rules
By default gosec will run all rules against the supplied file paths. It is however possible to select a subset of rules to run via the '-include=' flag, By default gosec will run all rules against the supplied file paths. It is however possible to select a subset of rules to run via the '-include=' flag,
or to specify a set of rules to explicitly exclude using the '-exclude=' flag. or to specify a set of rules to explicitly exclude using the '-exclude=' flag.
##### Available rules ### Available rules
- G101: Look for hard coded credentials - G101: Look for hard coded credentials
- G102: Bind to all interfaces - G102: Bind to all interfaces
@ -64,8 +78,7 @@ or to specify a set of rules to explicitly exclude using the '-exclude=' flag.
- G504: Import blacklist: net/http/cgi - G504: Import blacklist: net/http/cgi
- G505: Import blacklist: crypto/sha1 - G505: Import blacklist: crypto/sha1
```bash
```
# Run a specific set of rules # Run a specific set of rules
$ gosec -include=G101,G203,G401 ./... $ gosec -include=G101,G203,G401 ./...
@ -73,12 +86,12 @@ $ gosec -include=G101,G203,G401 ./...
$ gosec -exclude=G303 ./... $ gosec -exclude=G303 ./...
``` ```
#### Excluding files: ### Excluding files
gosec will ignore dependencies in your vendor directory any files gosec will ignore dependencies in your vendor directory any files
that are not considered build artifacts by the compiler (so test files). that are not considered build artifacts by the compiler (so test files).
#### Annotating code ### Annotating code
As with all automated detection tools there will be cases of false positives. In cases where gosec reports a failure that has been manually verified as being safe it is possible to annotate the code with a '#nosec' comment. As with all automated detection tools there will be cases of false positives. In cases where gosec reports a failure that has been manually verified as being safe it is possible to annotate the code with a '#nosec' comment.
@ -107,16 +120,17 @@ In some cases you may also want to revisit places where #nosec annotations
have been used. To run the scanner and ignore any #nosec annotations you have been used. To run the scanner and ignore any #nosec annotations you
can do the following: can do the following:
```bash
gosec -nosec=true ./...
``` ```
$ gosec -nosec=true ./...
``` ### Build tags
#### Build tags
gosec is able to pass your [Go build tags](https://golang.org/pkg/go/build/) to the analyzer. gosec is able to pass your [Go build tags](https://golang.org/pkg/go/build/) to the analyzer.
They can be provided as a comma separated list as follows: They can be provided as a comma separated list as follows:
``` ```bash
$ gosec -tag debug,ignore ./... gosec -tag debug,ignore ./...
``` ```
### Output formats ### Output formats
@ -125,34 +139,35 @@ gosec currently supports text, json, yaml, csv and JUnit XML output formats. By
results will be reported to stdout, but can also be written to an output results will be reported to stdout, but can also be written to an output
file. The output format is controlled by the '-fmt' flag, and the output file is controlled by the '-out' flag as follows: file. The output format is controlled by the '-fmt' flag, and the output file is controlled by the '-out' flag as follows:
``` ```bash
# Write output in json format to results.json # Write output in json format to results.json
$ gosec -fmt=json -out=results.json *.go $ gosec -fmt=json -out=results.json *.go
``` ```
### Development
#### Prerequisites ## Development
### Prerequisites
Install dep according to the instructions here: https://github.com/golang/dep Install dep according to the instructions here: https://github.com/golang/dep
Install the latest version of golint: https://github.com/golang/lint Install the latest version of golint: https://github.com/golang/lint
#### Build ### Build
``` ```bash
make make
``` ```
#### Tests ### Tests
``` ```bash
make test make test
``` ```
#### Release Build ### Release Build
Make sure you have installed the [goreleaser](https://github.com/goreleaser/goreleaser) tool and then you can release gosec as follows: Make sure you have installed the [goreleaser](https://github.com/goreleaser/goreleaser) tool and then you can release gosec as follows:
``` ```bash
git tag 1.0.0 git tag 1.0.0
export GITHUB_TOKEN=<YOUR GITHUB TOKEN> export GITHUB_TOKEN=<YOUR GITHUB TOKEN>
make release make release
@ -160,7 +175,7 @@ make release
The released version of the tool is available in the `dist` folder. The build information should be displayed in the usage text. The released version of the tool is available in the `dist` folder. The build information should be displayed in the usage text.
``` ```bash
./dist/darwin_amd64/gosec -h ./dist/darwin_amd64/gosec -h
gosec - Golang security checker gosec - Golang security checker
@ -174,35 +189,34 @@ BUILD DATE: 2018-04-27T12:41:38Z
Note that all released archives are also uploaded to GitHub. Note that all released archives are also uploaded to GitHub.
#### Docker image ### Docker image
You can build the docker image as follows: You can build the docker image as follows:
``` ```bash
make image make image
``` ```
You can run the `gosec` tool in a container against your local Go project. You just have to mount the project in the You can run the `gosec` tool in a container against your local Go project. You just have to mount the project in the
`GOPATH` of the container: `GOPATH` of the container:
``` ```bash
docker run -it -v $GOPATH/src/<YOUR PROJECT PATH>:/go/src/<YOUR PROJECT PATH> securego/gosec ./... docker run -it -v $GOPATH/src/<YOUR PROJECT PATH>:/go/src/<YOUR PROJECT PATH> securego/gosec ./...
``` ```
#### Generate TLS rule ### Generate TLS rule
The configuration of TLS rule can be generated from [Mozilla's TLS ciphers recommendation](https://statics.tls.security.mozilla.org/server-side-tls-conf.json). The configuration of TLS rule can be generated from [Mozilla's TLS ciphers recommendation](https://statics.tls.security.mozilla.org/server-side-tls-conf.json).
First you need to install the generator tool: First you need to install the generator tool:
``` ```bash
go get github.com/securego/gosec/cmd/tlsconfig/... go get github.com/securego/gosec/cmd/tlsconfig/...
``` ```
You can invoke now the `go generate` in the root of the project: You can invoke now the `go generate` in the root of the project:
``` ```bash
go generate ./... go generate ./...
``` ```