mirror of
https://github.com/securego/gosec.git
synced 2024-12-25 03:55:54 +00:00
Rule documentation updates (#1272)
This commit is contained in:
parent
92de0ee7a2
commit
e21b4d42cf
2 changed files with 63 additions and 23 deletions
25
README.md
25
README.md
|
@ -211,30 +211,9 @@ A number of global settings can be provided in a configuration file as follows:
|
||||||
$ gosec -conf config.json .
|
$ gosec -conf config.json .
|
||||||
```
|
```
|
||||||
|
|
||||||
Also some rules accept configuration. For instance on rule `G104`, it is possible to define packages along with a list
|
#### Rule Configuration
|
||||||
of functions which will be skipped when auditing the not checked errors:
|
|
||||||
|
|
||||||
```JSON
|
Some rules accept configuration flags as well; these flags are documented in [RULES.md](https://github.com/securego/gosec/blob/master/RULES.md).
|
||||||
{
|
|
||||||
"G104": {
|
|
||||||
"ioutil": ["WriteFile"]
|
|
||||||
}
|
|
||||||
}
|
|
||||||
```
|
|
||||||
|
|
||||||
You can also configure the hard-coded credentials rule `G101` with additional patterns, or adjust the entropy threshold:
|
|
||||||
|
|
||||||
```JSON
|
|
||||||
{
|
|
||||||
"G101": {
|
|
||||||
"pattern": "(?i)passwd|pass|password|pwd|secret|private_key|token",
|
|
||||||
"ignore_entropy": false,
|
|
||||||
"entropy_threshold": "80.0",
|
|
||||||
"per_char_threshold": "3.0",
|
|
||||||
"truncate": "32"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
```
|
|
||||||
|
|
||||||
#### Go version
|
#### Go version
|
||||||
|
|
||||||
|
|
61
RULES.md
Normal file
61
RULES.md
Normal file
|
@ -0,0 +1,61 @@
|
||||||
|
# Rule Documentation
|
||||||
|
|
||||||
|
## Rules accepting parameters
|
||||||
|
|
||||||
|
As [README.md](https://github.com/securego/gosec/blob/master/README.md) mentions, some rules can be configured by adding parameters to the gosec JSON config. Per rule configs are encoded as top level objects in the gosec config, with the rule ID (`Gxxx`) as the key.
|
||||||
|
|
||||||
|
Currently, the following rules accept parameters. This list is manually maintained; if you notice an omission please add it!
|
||||||
|
|
||||||
|
### G101
|
||||||
|
|
||||||
|
The hard-coded credentials rule `G101` can be configured with additional patterns, and the entropy threshold can be adjusted:
|
||||||
|
|
||||||
|
```JSON
|
||||||
|
{
|
||||||
|
"G101": {
|
||||||
|
"pattern": "(?i)passwd|pass|password|pwd|secret|private_key|token",
|
||||||
|
"ignore_entropy": false,
|
||||||
|
"entropy_threshold": "80.0",
|
||||||
|
"per_char_threshold": "3.0",
|
||||||
|
"truncate": "32"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
### G104
|
||||||
|
|
||||||
|
The unchecked error value rule `G104` can be configured with additional functions that should be permitted to be called without checking errors.
|
||||||
|
|
||||||
|
```JSON
|
||||||
|
{
|
||||||
|
"G104": {
|
||||||
|
"ioutil": ["WriteFile"]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
### G111
|
||||||
|
|
||||||
|
The HTTP Directory serving rule `G111` can be configured with a different regex for detecting potentially overly permissive servers. Note that this *replaces* the default pattern of `http\.Dir\("\/"\)|http\.Dir\('\/'\)`.
|
||||||
|
|
||||||
|
```JSON
|
||||||
|
{
|
||||||
|
"G111": {
|
||||||
|
"pattern": "http\\.Dir\\(\"\\\/\"\\)|http\\.Dir\\('\\\/'\\)"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
### G301, G302, G306, G307
|
||||||
|
|
||||||
|
The various file and directory permission checking rules can be configured with a different maximum allowable file permission.
|
||||||
|
|
||||||
|
```JSON
|
||||||
|
{
|
||||||
|
"G301":"0o600",
|
||||||
|
"G302":"0o600",
|
||||||
|
"G306":"0o750",
|
||||||
|
"G307":"0o750"
|
||||||
|
}
|
||||||
|
```
|
Loading…
Reference in a new issue