actions/gosec
1
0
Fork 0
mirror of https://github.com/securego/gosec.git synced 2024-11-05 19:45:51 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
1006 commits 2 branches 41 tags 20 MiB
Commit graph

123 commits

Author SHA1 Message Date
Fernandez Ludovic
5f0084eb01 feat: add env var to override the Go version detection 2024-05-25 11:00:44 +02:00
Cosmin Cojocar
1e1fc91d15 Update the README with some details related to Go version used by the rules 
Signed-off-by: Cosmin Cojocar <cosmin@cojocar.ch>
 2024-05-22 10:24:44 +02:00
Janusz Marcinkiewicz
f25ccd9fb5 Ignore 'implicit memory aliasing' rule for Go 1.22+ 
Signed-off-by: Janusz Marcinkiewicz <januszm@nvidia.com>
 2024-03-04 10:24:32 +01:00
Chaminda Divitotawela
43b7cbf661
Update README with upload-sarif v2 (#1078) 
GitHub action upload-sarif v1 is deprecated and action fails if used. Updated README with v2 so workflow can be copy and use without modiciations

Fixes #1077
 2023-11-28 09:09:22 +01:00
Cosmin Cojocar
64bbe90144 Fix some typos 
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
 2023-10-23 10:32:21 +02:00
Cosmin Cojocar
d9071e359b Update local installation instructions by removing the details for Go 1.16 
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
 2023-10-23 10:28:11 +02:00
Cosmin Cojocar
e298388908 Update README with details which describe the current behaviour of #nosec 
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
 2023-10-18 12:02:48 +02:00
Oleksandr Redko
09cf6efb3e
Fix typos in struct fields, comments, and docs (#1023) 2023-10-05 12:59:17 +02:00
Cosmin Cojocar
0d332a1027 Add a new rule which detects when a file is created with os.Create but the configured permissions are less than 0666 
It seems that the os.Create will create by default a file with 0666 permissions.

This should be detected when the configured permissions are less than 0666. By default will not detect this case
unless the more restrictive mode is configured.

Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
 2023-09-25 13:24:34 +02:00
Cosmin Cojocar
e02e2f6d5b Redesign and reimplement the slice out of bounds check using SSA code representation 
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
 2023-09-20 10:19:51 +02:00
Cosmin Cojocar
17b7d31f41
Update README file with new rule (#975) 
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
 2023-06-21 10:07:27 +02:00
Olivier Mengué
2ee3213dc1
README: upgrade GitHub action in examples (#950) 
Upgrade actions/checkout from v2 to v3 in GitHub actions examples.
 2023-04-13 10:23:06 +02:00
dan "smiley" murray
cdd3476f91
fix dead link to issue.go in README.md (#936) 2023-03-06 09:09:40 +01:00
Cosmin Cojocar
d5a9c73723
Remove rule G307 which checks when an error is not handled when a file or socket connection is closed (#935) 
* Remove read only types from unsafe defer rules

* Remove rule G307 which checks when an error is not handled when a file or socket connection is closed

This doesn't seem to bring much value from security perspective, and it caused a lot of controversy since
is a very common pattern in Go.

* Mentioned in documentation that rule G307 is retired

* Clean up the test for rule G307
 2023-02-24 14:04:13 +01:00
Cosmin Cojocar
392e53c8d0
Pin github action to latest release version 2.15.0 2023-02-08 11:29:30 +01:00
Cosmin Cojocar
d22a7b6ede
Add gosec version as an input parameter to GitHub action (#927) 
* Add gosec version as a paramter to the Github action

* Run gosec as a github action as part of CI
 2023-02-08 10:40:36 +01:00
Cosmin Cojocar
f9a8bf0152
Update slack badge and link (#905) 2022-12-12 12:20:22 +01:00
Ville Skyttä
0c8e63ed86
Detect use of net/http functions that have no support for setting timeouts (#842) 
https://blog.cloudflare.com/the-complete-guide-to-golang-net-http-timeouts/
https://blog.cloudflare.com/exposing-go-on-the-internet/

Closes https://github.com/securego/gosec/issues/833
 2022-08-02 17:16:44 +02:00
Vladimir Severov
9c19cb6501
Add check for usage of Rat.SetString in math/big with an overflow error (#819) 
* Add check for usage of Rat.SetString in math/big with an overflow error

Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7
has an overflow that can lead to Uncontrolled Memory Consumption.

It is the CVE-2022-23772.

* Use ContainsPkgCallExpr instead of manual parsing
 2022-06-03 00:19:51 +02:00
云微
34d144b3fa
Add new rule for Slowloris Attack 2022-04-30 12:38:50 +02:00
Gautam Mehta
0791d31471
Fix typo in ReadMe (#802) 2022-04-05 07:15:22 +02:00
Calin Capitanu
48bbf96b56
Adds directory traversal for Http.Dir("/") 2022-03-06 10:58:47 +01:00
Cosmin Cojocar
26f10e0a7a
Extend the release action to sign the docker image and binary files with cosign (#781) 
* Extend the release action to sign the docker image and binary files with cosign

* Fix lint warnings

* Fix the ling warnings

* Fix the lint warnings
 2022-02-22 21:33:42 +01:00
de-jcup
db8d98b571 Updated sponsor link in README.md 
- Because of rebranding (Daimler AG has become
  Mercedes-Benz Group AG) the github organization has
  been renamed as well.
- Updated sponsorship link in README.md to new github organization
 2022-02-07 10:34:42 +01:00
Cosmin Cojocar
e0f354aa0d
Add the sponsors section in the README file (#740) 2021-12-15 20:10:40 +01:00
Ville Skyttä
d23ab2d997
Remove space between // and #nosec in examples and internal use 
Comments intended for machines to read do not have the space by
convention.
 2021-12-15 19:31:14 +01:00
Yiwei Ding
b45f95f6ad
Add support for suppressing the findings 2021-12-09 11:53:36 +01:00
Ville Skyttä
f1f0056a90
Spelling fixes (#717) 2021-11-09 21:02:24 +01:00
xq840622
1297bedbc7
Update README.md (#707) 
"io/ioutil" package name is "ioutil"
 2021-10-14 09:54:09 +02:00
nobishii
991dd94f3a
Update local installation instruction (#703) 
Update local installation instruction for Go1.16+.
 2021-10-05 19:33:55 +02:00
Rodrigo Broggi
9f30bb6602
Typo correction (#681) 
Correcting the command flag from 'tag' to 'tags'
 2021-08-16 11:29:35 +02:00
Marc Brugger
62db81342e
Allow excluding generated files 2021-08-04 17:33:20 +02:00
Matthieu MOREL
af27673a87
Update README.md 2021-05-28 09:19:31 +02:00
Shreyas Subhedar
a8b633f124
Adding stdout and verbose flags and refactor how the report is saved 2021-05-10 10:44:55 +02:00
Matthieu MOREL
4df7f1c3e9
Fix typos, Go Report link and Gofmt 2021-05-07 18:04:01 +02:00
Matthieu MOREL
c4f5932ab7
Refactor : Replace Cwe with cwe.Weakness 2021-05-07 16:54:34 +02:00
Matthieu MOREL
cc83d4c922
Generate the SARIF types, handle taxonomies and separate responsibilities 2021-05-05 18:54:32 +02:00
Jeff Widman
0695fa026e
Add -u to local install instructions (#595) 
`-u` will ensure that users are updated the latest released version.

This way bugs are less likely to be reported that are already fixed.
 2021-04-16 09:50:10 +02:00
Cosmin Cojocar
dcbcc4dd2a
Use a more generic path for sonarqube import path (#573) 
Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
 2021-02-11 14:19:46 +01:00
Cosmin Cojocar
2777e5065e
Update README with a note which describes how to import a SonarQube report (#572) 2021-02-11 12:10:44 +01:00
Mark Wolfe
d9d75834b6 update README with instructions on how to integrate with GitHub codescanning 2021-01-22 11:31:07 +01:00
Miki Tebeka
6bd6e4ba2c Use $(go env GOPATH) that works even when GOPATH is not set 2020-10-01 04:17:43 +10:00
Lucas Charles
aef335a98e Fix typo in README.md 
s/trucate/truncate for G101 configuration
 2020-10-01 04:17:00 +10:00
Cosmin Cojocar
868556b846 Update README with the correct path to tlsconfig command 
Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
 2020-09-03 10:54:08 +02:00
Cosmin Cojocar
166e4f5f45 Update README file with some more details required to run successfully a scan with the docker image 
The current working directory needs to be specified in the docker run option in order for gosec
to download the dependencies defined in the go module file.

Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
 2020-09-01 08:57:52 +02:00
Cosmin Cojocar
a3895d5c55 Fix typo in README file 
Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
 2020-08-31 10:27:02 +02:00
Jamie Cuthill
17c955519e Incorrect local installation instructions for v2 2020-08-21 11:23:36 +02:00
ggkitsas
b60ddc21ba feat: adds support for path.Join and for tar archives in G305 2020-08-03 09:17:45 +02:00
evalphobia
03f12f3f5d Change naming rule from blacklist to blocklist 2020-06-29 13:45:44 +02:00
Cosmin Cojocar
6a130d55b3
Update the link pointing to issues to CWE mapping to use the master version (#483) 
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
 2020-05-28 14:40:15 +02:00