Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rule documentation updates #1272

Merged
merged 1 commit into from
Dec 17, 2024
Merged

Rule documentation updates #1272

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 2 additions & 23 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -211,30 +211,9 @@ A number of global settings can be provided in a configuration file as follows:
$ gosec -conf config.json .
```

Also some rules accept configuration. For instance on rule `G104`, it is possible to define packages along with a list
of functions which will be skipped when auditing the not checked errors:
#### Rule Configuration

```JSON
{
"G104": {
"ioutil": ["WriteFile"]
}
}
```

You can also configure the hard-coded credentials rule `G101` with additional patterns, or adjust the entropy threshold:

```JSON
{
"G101": {
"pattern": "(?i)passwd|pass|password|pwd|secret|private_key|token",
"ignore_entropy": false,
"entropy_threshold": "80.0",
"per_char_threshold": "3.0",
"truncate": "32"
}
}
```
Some rules accept configuration flags as well; these flags are documented in [RULES.md](https://github.com/securego/gosec/blob/master/RULES.md).

#### Go version

Expand Down
61 changes: 61 additions & 0 deletions RULES.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
# Rule Documentation
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is fine for configuration but we started a while a go this project to document each rule https://github.com/securego/securego.github.io. If you are interested in this area, you can contribute there. Thanks


## Rules accepting parameters

As [README.md](https://github.com/securego/gosec/blob/master/README.md) mentions, some rules can be configured by adding parameters to the gosec JSON config. Per rule configs are encoded as top level objects in the gosec config, with the rule ID (`Gxxx`) as the key.

Currently, the following rules accept parameters. This list is manually maintained; if you notice an omission please add it!

### G101

The hard-coded credentials rule `G101` can be configured with additional patterns, and the entropy threshold can be adjusted:

```JSON
{
"G101": {
"pattern": "(?i)passwd|pass|password|pwd|secret|private_key|token",
"ignore_entropy": false,
"entropy_threshold": "80.0",
"per_char_threshold": "3.0",
"truncate": "32"
}
}
```

### G104

The unchecked error value rule `G104` can be configured with additional functions that should be permitted to be called without checking errors.

```JSON
{
"G104": {
"ioutil": ["WriteFile"]
}
}
```

### G111

The HTTP Directory serving rule `G111` can be configured with a different regex for detecting potentially overly permissive servers. Note that this *replaces* the default pattern of `http\.Dir\("\/"\)|http\.Dir\('\/'\)`.

```JSON
{
"G111": {
"pattern": "http\\.Dir\\(\"\\\/\"\\)|http\\.Dir\\('\\\/'\\)"
}
}

```

### G301, G302, G306, G307

The various file and directory permission checking rules can be configured with a different maximum allowable file permission.

```JSON
{
"G301":"0o600",
"G302":"0o600",
"G306":"0o750",
"G307":"0o750"
}
```
Loading