gosec v2.18.1 releases: Golang Security Checker
gosec – Golang Security Checker
Inspects source code for security problems by scanning the Go AST.
Usage
Gosec can be configured to only run a subset of rules, exclude certain file paths, and produce reports in different formats. By default, all rules will be run against the supplied input files. To recursively scan from the current directory you can supply ./… as the input argument.
Available rules
- G101: Look for hardcoded credentials
- G102: Bind to all interfaces
- G103: Audit the use of unsafe block
- G104: Audit errors not checked
- G106: Audit the use of ssh.InsecureIgnoreHostKey
- G107: Url provided to the HTTP request as taint input
- G108: Profiling endpoint automatically exposed on /debug/pprof
- G109: Potential Integer overflow made by strconv.Atoi result conversion to int16/32
- G110: Potential DoS vulnerability via decompression bomb
- G201: SQL query construction using a format string
- G202: SQL query construction using string concatenation
- G203: Use of unescaped data in HTML templates
- G204: Audit use of command execution
- G301: Poor file permissions used when creating a directory
- G302: Poor file permissions used with chmod
- G303: Creating tempfile using a predictable path
- G304: File path provided as taint input
- G305: File traversal when extracting zip/tar archive
- G306: Poor file permissions used when writing to a new file
- G307: Deferring a method which returns an error
- G401: Detect the usage of DES, RC4, MD5 or SHA1
- G402: Look for bad TLS connection settings
- G403: Ensure minimum RSA key length of 2048 bits
- G404: Insecure random number source (rand)
- G501: Import blocklist: crypto/md5
- G502: Import blocklist: crypto/des
- G503: Import blocklist: crypto/rc4
- G504: Import blocklist: net/http/cgi
- G505: Import blocklist: crypto/sha1
- G601: Implicit memory aliasing of items from a range statement
Retired rules
- G105: Audit the use of math/big.Int.Exp – CVE is fixed
Changelog v2.18.1
- 0ec6cd9 Refactor how ignored issues are tracked
- f338a98 Restrict the maximum depth when tracking the slice bounds
- 7e2d8d3 Handle empty ssa results
- 074353a Handle gracefully any panic that occurs when building the SSA representation of a package
- ec31a3a Fix typo
- a11eb28 Handle new function when getting the call info in case is overriden
- 5b7867d Bump golang.org/x/net from 0.16.0 to 0.17.0 (#1037)
- dd08f99 Update to Go 1.21.3 and 1.20.10 (#1035)
- 616520f Update the list of unsafe functions detected by the unsafe rule (#1033)
- 3952187 Update the action to use gosec version v2.18.0 (#1029)
- 2b62dd1 Use a step ID in github release action to get the digest of the image (#1028)
