在线时间:8:00-16:00
迪恩网络APP
随时随地掌握行业动态
扫描二维码
关注迪恩网络微信公众号
开源软件名称:securego/gosec开源软件地址:https://github.com/securego/gosec开源编程语言:Go 92.5%开源软件介绍:gosec - Golang Security CheckerInspects source code for security problems by scanning the Go AST. LicenseLicensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with the License. You may obtain a copy of the License here. Project statusInstallCI Installation# binary will be $(go env GOPATH)/bin/gosec
curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s -- -b $(go env GOPATH)/bin vX.Y.Z
# or install it into ./bin/
curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s vX.Y.Z
# In alpine linux (as it does not come with curl by default)
wget -O - -q https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s vX.Y.Z
# If you want to use the checksums provided on the "Releases" page
# then you will have to download a tar.gz file for your operating system instead of a binary file
wget https://github.com/securego/gosec/releases/download/vX.Y.Z/gosec_vX.Y.Z_OS.tar.gz
# The file will be in the current folder where you run the command
# and you can check the checksum like this
echo "<check sum from the check sum file> gosec_vX.Y.Z_OS.tar.gz" | sha256sum -c -
gosec --help GitHub ActionYou can run name: Run Gosec
on:
push:
branches:
- master
pull_request:
branches:
- master
jobs:
tests:
runs-on: ubuntu-latest
env:
GO111MODULE: on
steps:
- name: Checkout Source
uses: actions/checkout@v2
- name: Run Gosec Security Scanner
uses: securego/gosec@master
with:
args: ./... Integrating with code scanningYou can integrate third-party code analysis tools with GitHub code scanning by uploading data as SARIF files. The workflow shows an example of running the name: "Security Scan"
# Run workflow each time code is pushed to your repository and on a schedule.
# The scheduled workflow runs every at 00:00 on Sunday UTC time.
on:
push:
schedule:
- cron: '0 0 * * 0'
jobs:
tests:
runs-on: ubuntu-latest
env:
GO111MODULE: on
steps:
- name: Checkout Source
uses: actions/checkout@v2
- name: Run Gosec Security Scanner
uses: securego/gosec@master
with:
# we let the report trigger content trigger a failure using the GitHub Security features.
args: '-no-fail -fmt sarif -out results.sarif ./...'
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v1
with:
# Path to SARIF file relative to the root of the repository
sarif_file: results.sarif Local InstallationGo 1.16+go install github.com/securego/gosec/v2/cmd/gosec@latest Go version < 1.16go get -u github.com/securego/gosec/v2/cmd/gosec UsageGosec can be configured to only run a subset of rules, to exclude certain file
paths, and produce reports in different formats. By default all rules will be
run against the supplied input files. To recursively scan from the current
directory you can supply Available rules
Retired rules
Selecting rulesBy default, gosec will run all rules against the supplied file paths. It is however possible to select a subset of rules to run via the # Run a specific set of rules
$ gosec -include=G101,G203,G401 ./...
# Run everything except for rule G303
$ gosec -exclude=G303 ./... CWE MappingEvery issue detected by ConfigurationA number of global settings can be provided in a configuration file as follows: {
"global": {
"nosec": "enabled",
"audit": "enabled"
}
}
# Run with a global configuration file
$ gosec -conf config.json . Also some rules accept configuration. For instance on rule {
"G104": {
"ioutil": ["WriteFile"]
}
} You can also configure the hard-coded credentials rule {
"G101": {
"pattern": "(?i)passwd|pass|password|pwd|secret|private_key|token",
"ignore_entropy": false,
"entropy_threshold": "80.0",
"per_char_threshold": "3.0",
"truncate": "32"
}
} Dependenciesgosec will fetch automatically the dependencies of the code which is being analyzed when go module is turned on (e.g. Excluding test files and foldersgosec will ignore test files across all packages and any dependencies in your vendor directory. The scanning of test files can be enabled with the following flag: gosec -tests ./... Also additional folders can be excluded as follows: gosec -exclude-dir=rules -exclude-dir=cmd ./... Excluding generated filesgosec can ignore generated go files with default generated code comment.
gosec -exclude-generated ./... Annotating codeAs with all automated detection tools, there will be cases of false positives. In cases where gosec reports a failure that has been manually verified as being safe,
it is possible to annotate the code with a comment that starts with The annotation causes gosec to stop processing any further nodes within the AST so can apply to a whole block or more granularly to a single expression. import "md5" //#nosec
func main(){
/* #nosec */
if x > y {
h := md5.New() // this will also be ignored
}
} When a specific false positive has been identified and verified as safe, you may wish to suppress only that single rule (or a specific set of rules)
within a section of code, while continuing to scan for other problems. To do this, you can list the rule(s) to be suppressed within
the You could put the description or justification text for the annotation. The
justification should be after the rule(s) to suppress and start with two or
more dashes, e.g: In some cases you may also want to revisit places where gosec -nosec=true ./... Tracking suppressionsAs described above, we could suppress violations externally (using We could track suppressions by the gosec -track-suppressions -exclude=G101 -fmt=sarif -out=results.sarif ./...
Note: Only SARIF and JSON formats support tracking suppressions. Build tagsgosec is able to pass your Go build tags to the analyzer. They can be provided as a comma separated list as follows: gosec -tags debug,ignore ./... Output formatsgosec currently supports # Write output in json format to results.json
$ gosec -fmt=json -out=results.json *.go Results will be reported to stdout as well as to the provided output file by # Write output in json format to results.json as well as stdout
$ gosec -fmt=json -out=results.json -stdout *.go
# Overrides the output format to 'text' when stdout the results, while writing it to results.json
$ gosec -fmt=json -out=results.json -stdout -verbose=text *.go Note: gosec generates the generic issue import format for SonarQube, and a report has to be imported into SonarQube using DevelopmentBuildYou can build the binary with: make Note on Sarif Types GenerationInstall the tool with : go get -u github.com/a-h/generate/cmd/schema-generate Then generate the types with : schema-generate -i sarif-schema-2.1.0.json -o mypath/types.go Most of the MarshallJSON/UnmarshalJSON are removed except the one for PropertyBag which is handy to inline the additional properties. The rest can be removed. The URI,ID, UUID, GUID were renamed so it fits the Golang convention defined here TestsYou can run all unit tests using: make test ReleaseYou can create a release by tagging the version as follows: git tag v1.0.0 -m "Release version v1.0.0"
git push origin v1.0.0 The GitHub release workflow triggers immediately after the tag is pushed upstream. This flow will release the binaries using the goreleaser action and then it will build and publish the docker image into Docker Hub. The released artifacts are signed using cosign. You can use the public key from cosign.pub file to verify the signature of docker image and binaries files. The docker image signature can be verified with the following command:
The binary files signature can be verified with the following command:
Docker imageYou can also build locally the docker image by using the command: make image You can run the docker run --rm -it -w /<PROJECT>/ -v <YOUR PROJECT PATH>/<PROJECT>:/<PROJECT> securego/gosec /<PROJECT>/... Note: the current working directory needs to be set with Generate TLS ruleThe configuration of TLS rule can be generated from Mozilla's TLS ciphers recommendation. First you need to install the generator tool: go get github.com/securego/gosec/v2/cmd/tlsconfig/... You can invoke now the go generate ./... This will generate the Who is using gosec?This is a list with some of the gosec's users. SponsorsSupport this project by becoming a sponsor. Your logo will show up here with a link to your website |
2023-10-27
2022-08-15
2022-08-17
2022-09-23
2022-08-13
请发表评论