mirror of
https://github.com/securego/gosec.git
synced 2024-12-25 12:05:52 +00:00
Add CI Installation steps and correct markdown lint errors
This commit is contained in:
parent
8c09a83248
commit
97bc137c5b
1 changed files with 74 additions and 60 deletions
84
README.md
84
README.md
|
@ -1,42 +1,56 @@
|
||||||
|
|
||||||
|
# gosec - Golang Security Checker
|
||||||
## gosec -Golang Security Checker
|
|
||||||
|
|
||||||
Inspects source code for security problems by scanning the Go AST.
|
Inspects source code for security problems by scanning the Go AST.
|
||||||
|
|
||||||
<img src="https://securego.io/img/gosec.png" width="320">
|
<img src="https://securego.io/img/gosec.png" width="320">
|
||||||
|
|
||||||
|
## License
|
||||||
### License
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
you may not use this file except in compliance with the License.
|
you may not use this file except in compliance with the License.
|
||||||
You may obtain a copy of the License [here](http://www.apache.org/licenses/LICENSE-2.0).
|
You may obtain a copy of the License [here](http://www.apache.org/licenses/LICENSE-2.0).
|
||||||
|
|
||||||
### Project status
|
## Project status
|
||||||
|
|
||||||
[![Build Status](https://travis-ci.org/securego/gosec.svg?branch=master)](https://travis-ci.org/securego/gosec)
|
[![Build Status](https://travis-ci.org/securego/gosec.svg?branch=master)](https://travis-ci.org/securego/gosec)
|
||||||
[![GoDoc](https://godoc.org/github.com/securego/gosec?status.svg)](https://godoc.org/github.com/securego/gosec)
|
[![GoDoc](https://godoc.org/github.com/securego/gosec?status.svg)](https://godoc.org/github.com/securego/gosec)
|
||||||
[![Slack](http://securego.herokuapp.com/badge.svg)](http://securego.herokuapp.com)
|
[![Slack](http://securego.herokuapp.com/badge.svg)](http://securego.herokuapp.com)
|
||||||
|
|
||||||
|
## Install
|
||||||
|
|
||||||
### Install
|
### CI Installation
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# binary will be $GOPATH/bin/gosec
|
||||||
|
curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s -- -b $GOPATH/bin vX.Y.Z
|
||||||
|
|
||||||
|
# or install it into ./bin/
|
||||||
|
curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s vX.Y.Z
|
||||||
|
|
||||||
|
# In alpine linux (as it does not come with curl by default)
|
||||||
|
wget -O - -q https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s vX.Y.Z
|
||||||
|
|
||||||
|
gosec --help
|
||||||
|
```
|
||||||
|
|
||||||
|
### Local Installation
|
||||||
|
|
||||||
`$ go get github.com/securego/gosec/cmd/gosec/...`
|
`$ go get github.com/securego/gosec/cmd/gosec/...`
|
||||||
|
|
||||||
### Usage
|
## Usage
|
||||||
|
|
||||||
Gosec can be configured to only run a subset of rules, to exclude certain file
|
Gosec can be configured to only run a subset of rules, to exclude certain file
|
||||||
paths, and produce reports in different formats. By default all rules will be
|
paths, and produce reports in different formats. By default all rules will be
|
||||||
run against the supplied input files. To recursively scan from the current
|
run against the supplied input files. To recursively scan from the current
|
||||||
directory you can supply './...' as the input argument.
|
directory you can supply './...' as the input argument.
|
||||||
|
|
||||||
#### Selecting rules
|
### Selecting rules
|
||||||
|
|
||||||
By default gosec will run all rules against the supplied file paths. It is however possible to select a subset of rules to run via the '-include=' flag,
|
By default gosec will run all rules against the supplied file paths. It is however possible to select a subset of rules to run via the '-include=' flag,
|
||||||
or to specify a set of rules to explicitly exclude using the '-exclude=' flag.
|
or to specify a set of rules to explicitly exclude using the '-exclude=' flag.
|
||||||
|
|
||||||
##### Available rules
|
### Available rules
|
||||||
|
|
||||||
- G101: Look for hard coded credentials
|
- G101: Look for hard coded credentials
|
||||||
- G102: Bind to all interfaces
|
- G102: Bind to all interfaces
|
||||||
|
@ -64,8 +78,7 @@ or to specify a set of rules to explicitly exclude using the '-exclude=' flag.
|
||||||
- G504: Import blacklist: net/http/cgi
|
- G504: Import blacklist: net/http/cgi
|
||||||
- G505: Import blacklist: crypto/sha1
|
- G505: Import blacklist: crypto/sha1
|
||||||
|
|
||||||
|
```bash
|
||||||
```
|
|
||||||
# Run a specific set of rules
|
# Run a specific set of rules
|
||||||
$ gosec -include=G101,G203,G401 ./...
|
$ gosec -include=G101,G203,G401 ./...
|
||||||
|
|
||||||
|
@ -73,12 +86,12 @@ $ gosec -include=G101,G203,G401 ./...
|
||||||
$ gosec -exclude=G303 ./...
|
$ gosec -exclude=G303 ./...
|
||||||
```
|
```
|
||||||
|
|
||||||
#### Excluding files:
|
### Excluding files
|
||||||
|
|
||||||
gosec will ignore dependencies in your vendor directory any files
|
gosec will ignore dependencies in your vendor directory any files
|
||||||
that are not considered build artifacts by the compiler (so test files).
|
that are not considered build artifacts by the compiler (so test files).
|
||||||
|
|
||||||
#### Annotating code
|
### Annotating code
|
||||||
|
|
||||||
As with all automated detection tools there will be cases of false positives. In cases where gosec reports a failure that has been manually verified as being safe it is possible to annotate the code with a '#nosec' comment.
|
As with all automated detection tools there will be cases of false positives. In cases where gosec reports a failure that has been manually verified as being safe it is possible to annotate the code with a '#nosec' comment.
|
||||||
|
|
||||||
|
@ -107,16 +120,17 @@ In some cases you may also want to revisit places where #nosec annotations
|
||||||
have been used. To run the scanner and ignore any #nosec annotations you
|
have been used. To run the scanner and ignore any #nosec annotations you
|
||||||
can do the following:
|
can do the following:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
gosec -nosec=true ./...
|
||||||
```
|
```
|
||||||
$ gosec -nosec=true ./...
|
|
||||||
```
|
### Build tags
|
||||||
#### Build tags
|
|
||||||
|
|
||||||
gosec is able to pass your [Go build tags](https://golang.org/pkg/go/build/) to the analyzer.
|
gosec is able to pass your [Go build tags](https://golang.org/pkg/go/build/) to the analyzer.
|
||||||
They can be provided as a comma separated list as follows:
|
They can be provided as a comma separated list as follows:
|
||||||
|
|
||||||
```
|
```bash
|
||||||
$ gosec -tag debug,ignore ./...
|
gosec -tag debug,ignore ./...
|
||||||
```
|
```
|
||||||
|
|
||||||
### Output formats
|
### Output formats
|
||||||
|
@ -125,34 +139,35 @@ gosec currently supports text, json, yaml, csv and JUnit XML output formats. By
|
||||||
results will be reported to stdout, but can also be written to an output
|
results will be reported to stdout, but can also be written to an output
|
||||||
file. The output format is controlled by the '-fmt' flag, and the output file is controlled by the '-out' flag as follows:
|
file. The output format is controlled by the '-fmt' flag, and the output file is controlled by the '-out' flag as follows:
|
||||||
|
|
||||||
```
|
```bash
|
||||||
# Write output in json format to results.json
|
# Write output in json format to results.json
|
||||||
$ gosec -fmt=json -out=results.json *.go
|
$ gosec -fmt=json -out=results.json *.go
|
||||||
```
|
```
|
||||||
### Development
|
|
||||||
|
|
||||||
#### Prerequisites
|
## Development
|
||||||
|
|
||||||
|
### Prerequisites
|
||||||
|
|
||||||
Install dep according to the instructions here: https://github.com/golang/dep
|
Install dep according to the instructions here: https://github.com/golang/dep
|
||||||
Install the latest version of golint: https://github.com/golang/lint
|
Install the latest version of golint: https://github.com/golang/lint
|
||||||
|
|
||||||
#### Build
|
### Build
|
||||||
|
|
||||||
```
|
```bash
|
||||||
make
|
make
|
||||||
```
|
```
|
||||||
|
|
||||||
#### Tests
|
### Tests
|
||||||
|
|
||||||
```
|
```bash
|
||||||
make test
|
make test
|
||||||
```
|
```
|
||||||
|
|
||||||
#### Release Build
|
### Release Build
|
||||||
|
|
||||||
Make sure you have installed the [goreleaser](https://github.com/goreleaser/goreleaser) tool and then you can release gosec as follows:
|
Make sure you have installed the [goreleaser](https://github.com/goreleaser/goreleaser) tool and then you can release gosec as follows:
|
||||||
|
|
||||||
```
|
```bash
|
||||||
git tag 1.0.0
|
git tag 1.0.0
|
||||||
export GITHUB_TOKEN=<YOUR GITHUB TOKEN>
|
export GITHUB_TOKEN=<YOUR GITHUB TOKEN>
|
||||||
make release
|
make release
|
||||||
|
@ -160,7 +175,7 @@ make release
|
||||||
|
|
||||||
The released version of the tool is available in the `dist` folder. The build information should be displayed in the usage text.
|
The released version of the tool is available in the `dist` folder. The build information should be displayed in the usage text.
|
||||||
|
|
||||||
```
|
```bash
|
||||||
./dist/darwin_amd64/gosec -h
|
./dist/darwin_amd64/gosec -h
|
||||||
gosec - Golang security checker
|
gosec - Golang security checker
|
||||||
|
|
||||||
|
@ -174,35 +189,34 @@ BUILD DATE: 2018-04-27T12:41:38Z
|
||||||
|
|
||||||
Note that all released archives are also uploaded to GitHub.
|
Note that all released archives are also uploaded to GitHub.
|
||||||
|
|
||||||
#### Docker image
|
### Docker image
|
||||||
|
|
||||||
You can build the docker image as follows:
|
You can build the docker image as follows:
|
||||||
|
|
||||||
```
|
```bash
|
||||||
make image
|
make image
|
||||||
```
|
```
|
||||||
|
|
||||||
You can run the `gosec` tool in a container against your local Go project. You just have to mount the project in the
|
You can run the `gosec` tool in a container against your local Go project. You just have to mount the project in the
|
||||||
`GOPATH` of the container:
|
`GOPATH` of the container:
|
||||||
|
|
||||||
```
|
```bash
|
||||||
docker run -it -v $GOPATH/src/<YOUR PROJECT PATH>:/go/src/<YOUR PROJECT PATH> securego/gosec ./...
|
docker run -it -v $GOPATH/src/<YOUR PROJECT PATH>:/go/src/<YOUR PROJECT PATH> securego/gosec ./...
|
||||||
```
|
```
|
||||||
|
|
||||||
#### Generate TLS rule
|
### Generate TLS rule
|
||||||
|
|
||||||
The configuration of TLS rule can be generated from [Mozilla's TLS ciphers recommendation](https://statics.tls.security.mozilla.org/server-side-tls-conf.json).
|
The configuration of TLS rule can be generated from [Mozilla's TLS ciphers recommendation](https://statics.tls.security.mozilla.org/server-side-tls-conf.json).
|
||||||
|
|
||||||
|
|
||||||
First you need to install the generator tool:
|
First you need to install the generator tool:
|
||||||
|
|
||||||
```
|
```bash
|
||||||
go get github.com/securego/gosec/cmd/tlsconfig/...
|
go get github.com/securego/gosec/cmd/tlsconfig/...
|
||||||
```
|
```
|
||||||
|
|
||||||
You can invoke now the `go generate` in the root of the project:
|
You can invoke now the `go generate` in the root of the project:
|
||||||
|
|
||||||
```
|
```bash
|
||||||
go generate ./...
|
go generate ./...
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue