diff --git a/README.md b/README.md index bc035da..01961a8 100644 --- a/README.md +++ b/README.md @@ -211,30 +211,9 @@ A number of global settings can be provided in a configuration file as follows: $ gosec -conf config.json . ``` -Also some rules accept configuration. For instance on rule `G104`, it is possible to define packages along with a list -of functions which will be skipped when auditing the not checked errors: +#### Rule Configuration -```JSON -{ - "G104": { - "ioutil": ["WriteFile"] - } -} -``` - -You can also configure the hard-coded credentials rule `G101` with additional patterns, or adjust the entropy threshold: - -```JSON -{ - "G101": { - "pattern": "(?i)passwd|pass|password|pwd|secret|private_key|token", - "ignore_entropy": false, - "entropy_threshold": "80.0", - "per_char_threshold": "3.0", - "truncate": "32" - } -} -``` +Some rules accept configuration flags as well; these flags are documented in [RULES.md](https://github.com/securego/gosec/blob/master/RULES.md). #### Go version diff --git a/RULES.md b/RULES.md new file mode 100644 index 0000000..94cfd76 --- /dev/null +++ b/RULES.md @@ -0,0 +1,61 @@ +# Rule Documentation + +## Rules accepting parameters + +As [README.md](https://github.com/securego/gosec/blob/master/README.md) mentions, some rules can be configured by adding parameters to the gosec JSON config. Per rule configs are encoded as top level objects in the gosec config, with the rule ID (`Gxxx`) as the key. + +Currently, the following rules accept parameters. This list is manually maintained; if you notice an omission please add it! + +### G101 + +The hard-coded credentials rule `G101` can be configured with additional patterns, and the entropy threshold can be adjusted: + +```JSON +{ + "G101": { + "pattern": "(?i)passwd|pass|password|pwd|secret|private_key|token", + "ignore_entropy": false, + "entropy_threshold": "80.0", + "per_char_threshold": "3.0", + "truncate": "32" + } +} +``` + +### G104 + +The unchecked error value rule `G104` can be configured with additional functions that should be permitted to be called without checking errors. + +```JSON +{ + "G104": { + "ioutil": ["WriteFile"] + } +} +``` + +### G111 + +The HTTP Directory serving rule `G111` can be configured with a different regex for detecting potentially overly permissive servers. Note that this *replaces* the default pattern of `http\.Dir\("\/"\)|http\.Dir\('\/'\)`. + +```JSON +{ + "G111": { + "pattern": "http\\.Dir\\(\"\\\/\"\\)|http\\.Dir\\('\\\/'\\)" + } +} + +``` + +### G301, G302, G306, G307 + +The various file and directory permission checking rules can be configured with a different maximum allowable file permission. + +```JSON +{ + "G301":"0o600", + "G302":"0o600", + "G306":"0o750", + "G307":"0o750" +} +```