actions/gosec
1
0
Fork 0
mirror of https://github.com/securego/gosec.git synced 2024-11-05 19:45:51 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Update README with details which describe the current behaviour of #nosec

Browse source 
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
This commit is contained in:
Cosmin Cojocar 2023-10-18 11:43:10 +02:00 committed by Cosmin Cojocar
parent d8a6d358dc
commit e298388908
1 changed files with 18 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

34
README.md
View file

@ -274,31 +274,33 @@ gosec -exclude-generated ./...
### Annotating code ### Annotating code
As with all automated detection tools, there will be cases of false positives. In cases where gosec reports a failure that has been manually verified as being safe, As with all automated detection tools, there will be cases of false positives.
In cases where gosec reports a failure that has been manually verified as being safe,
it is possible to annotate the code with a comment that starts with `#nosec`. it is possible to annotate the code with a comment that starts with `#nosec`.
The `#nosec` comment should have the format `#nosec [RuleList] [-- Justification]`. The `#nosec` comment should have the format `#nosec [RuleList] [-- Justification]`.
The annotation causes gosec to stop processing any further nodes within the The `#nosec` comment needs to be placed on the line where the warning is reported.
AST so can apply to a whole block or more granularly to a single expression.
```go ```go
func main() {
tr := &http.Transport{
TLSClientConfig: &tls.Config{
InsecureSkipVerify: true, // #nosec G402
},
}
import "md5" //#nosec client := &http.Client{Transport: tr}
_, err := client.Get("https://golang.org/")
if err != nil {
func main(){ fmt.Println(err)
}
/* #nosec */
if x > y {
h := md5.New() // this will also be ignored
}
} }
``` ```
When a specific false positive has been identified and verified as safe, you may wish to suppress only that single rule (or a specific set of rules) When a specific false positive has been identified and verified as safe, you may
within a section of code, while continuing to scan for other problems. To do this, you can list the rule(s) to be suppressed within wish to suppress only that single rule (or a specific set of rules) within a section of code,
while continuing to scan for other problems. To do this, you can list the rule(s) to be suppressed within
the `#nosec` annotation, e.g: `/* #nosec G401 */` or `//#nosec G201 G202 G203` the `#nosec` annotation, e.g: `/* #nosec G401 */` or `//#nosec G201 G202 G203`
You could put the description or justification text for the annotation. The You could put the description or justification text for the annotation. The