gosec v2.16 releases: Golang Security Checker
gosec – Golang Security Checker
Inspects source code for security problems by scanning the Go AST.
Usage
Gosec can be configured to only run a subset of rules, exclude certain file paths, and produce reports in different formats. By default, all rules will be run against the supplied input files. To recursively scan from the current directory you can supply ./… as the input argument.
Available rules
- G101: Look for hardcoded credentials
- G102: Bind to all interfaces
- G103: Audit the use of unsafe block
- G104: Audit errors not checked
- G106: Audit the use of ssh.InsecureIgnoreHostKey
- G107: Url provided to the HTTP request as taint input
- G108: Profiling endpoint automatically exposed on /debug/pprof
- G109: Potential Integer overflow made by strconv.Atoi result conversion to int16/32
- G110: Potential DoS vulnerability via decompression bomb
- G201: SQL query construction using a format string
- G202: SQL query construction using string concatenation
- G203: Use of unescaped data in HTML templates
- G204: Audit use of command execution
- G301: Poor file permissions used when creating a directory
- G302: Poor file permissions used with chmod
- G303: Creating tempfile using a predictable path
- G304: File path provided as taint input
- G305: File traversal when extracting zip/tar archive
- G306: Poor file permissions used when writing to a new file
- G307: Deferring a method which returns an error
- G401: Detect the usage of DES, RC4, MD5 or SHA1
- G402: Look for bad TLS connection settings
- G403: Ensure minimum RSA key length of 2048 bits
- G404: Insecure random number source (rand)
- G501: Import blocklist: crypto/md5
- G502: Import blocklist: crypto/des
- G503: Import blocklist: crypto/rc4
- G504: Import blocklist: net/http/cgi
- G505: Import blocklist: crypto/sha1
- G601: Implicit memory aliasing of items from a range statement
Retired rules
- G105: Audit the use of math/big.Int.Exp – CVE is fixed
Changelog v2.16
- c5ea1b7 Update cosign to latest version in release Github action (#958)
- 8632a8c chore(deps): update all dependencies (#956)
- ae3c2f7 Update go version in build and release scripts (#957)
- 970cc29 chore(deps): update all dependencies (#955)
- 47bfd4e Update Go version to 1.20.3 (#953)
- 440141a chore(deps): update all dependencies (#952)
- 7df7baa Fix for Dockerfile smell DL3059 (#951)
- 2ee3213 README: upgrade GitHub action in examples (#950)
- 68b5201 enable ginkgolinter linter (#948)
- 780ebd0 chore(deps): update all dependencies (#947)
- d6aeaad correct gci linter (#946)
- 73f0efc remove deprecated linters
- aef69b3 increase timeout to 5m
- 6bad723 chore(deps): update all dependencies
- 96bb741 Use the latest version
- 6a73248 Fix some linting warnings
- 83fc5e6 Fix lint warning
- 8e7cf4b Bump the go versions and golanci
- e7bfcd1 chore(deps): update all dependencies (#942)
- f823a7e Check nil pointer when variable is declared in a different file
- cdd3476 fix dead link to issue.go in README.md (#936)
- d5a9c73 Remove rule G307 which checks when an error is not handled when a file or socket connection is closed (#935)
- 27bf0e4 Fix rule index reference into sarif report (#934)
- e7b896f Bump golang.org/x/net from 0.6.0 to 0.7.0
- 4340efa Format file
- f850069 Use the gosec issue in the go analysers
- b1fd948 Fix file formatting
- 2071786 Update Go version in CI builds
- 1915717 Fix method name in the comment
- de2c6a3 Extract the issue in its own package
- 31e6327 Add support for Go analysis framework and SSA code representation
- e795d75 chore(deps): update all dependencies (#931)
- 8aa00db Remove the version form ci github action
- 392e53c Pin github action to latest release version 2.15.0
- ffe254e Revert the image tag in github action until a working solution is found
- a0eddfb Fix version interpolation in github action image
- d22a7b6 Add gosec version as an input parameter to GitHub action (#927)
- 2d6b0a5 Update release build script (#924)