gosec

package module
v2.25.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 19, 2026 License: Apache-2.0 Imports: 35 Imported by: 42

README

gosec - Go Security Checker

Inspects source code for security problems by scanning the Go AST and SSA code representation.

⚠️ Container image migration notice: gosec images was migrated from Docker Hub to ghcr.io/securego/gosec. Starting with release v2.24.7 the image is no longer published in Docker Hub.

Features

  • Pattern-based rules for detecting common security issues in Go code
  • SSA-based analyzers for type conversions, slice bounds, and crypto issues
  • Taint analysis for tracking data flow from user input to dangerous functions (SQL injection, command injection, path traversal, SSRF, XSS, log injection)

License

Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with the License. You may obtain a copy of the License here.

Project status

CII Best Practices Build Status Coverage Status GoReport GoDoc Docs Downloads GHCR Slack go-recipes

Installation

GitHub Action

You can run gosec as a GitHub action as follows:

Use the versioned tag with @master which is pinned to the latest stable release. This will provide a stable behavior.

name: Run Gosec
on:
  push:
    branches:
      - master
  pull_request:
    branches:
      - master
jobs:
  tests:
    runs-on: ubuntu-latest
    env:
      GO111MODULE: on
    steps:
      - name: Checkout Source
        uses: actions/checkout@v3
      - name: Run Gosec Security Scanner
        uses: securego/gosec@master
        with:
          args: ./...
Scanning Projects with Private Modules

If your project imports private Go modules, you need to configure authentication so that gosec can fetch the dependencies. Set the following environment variables in your workflow:

  • GOPRIVATE: A comma-separated list of module path prefixes that should be considered private (e.g., github.com/your-org/*).
  • GITHUB_AUTHENTICATION_TOKEN: A GitHub token with read access to your private repositories.
name: Run Gosec
on:
  push:
    branches:
      - master
  pull_request:
    branches:
      - master
jobs:
  tests:
    runs-on: ubuntu-latest
    env:
      GO111MODULE: on
      GOPRIVATE: github.com/your-org/*
      GITHUB_AUTHENTICATION_TOKEN: ${{ secrets.PRIVATE_REPO_TOKEN }}
    steps:
      - name: Checkout Source
        uses: actions/checkout@v3
      - name: Run Gosec Security Scanner
        uses: securego/gosec@v2
        with:
          args: ./...
Integrating with code scanning

You can integrate third-party code analysis tools with GitHub code scanning by uploading data as SARIF files.

The workflow shows an example of running the gosec as a step in a GitHub action workflow which outputs the results.sarif file. The workflow then uploads the results.sarif file to GitHub using the upload-sarif action.

name: "Security Scan"

# Run workflow each time code is pushed to your repository and on a schedule.
# The scheduled workflow runs every at 00:00 on Sunday UTC time.
on:
  push:
  schedule:
  - cron: '0 0 * * 0'

jobs:
  tests:
    runs-on: ubuntu-latest
    env:
      GO111MODULE: on
    steps:
      - name: Checkout Source
        uses: actions/checkout@v3
      - name: Run Gosec Security Scanner
        uses: securego/gosec@v2
        with:
          # we let the report trigger content trigger a failure using the GitHub Security features.
          args: '-no-fail -fmt sarif -out results.sarif ./...'
      - name: Upload SARIF file
        uses: github/codeql-action/upload-sarif@v2
        with:
          # Path to SARIF file relative to the root of the repository
          sarif_file: results.sarif
Go Analysis

The goanalysis package provides a golang.org/x/tools/go/analysis.Analyzer for integration with tools that support the standard Go analysis interface, such as Bazel's nogo framework:

nogo(
    name = "nogo",
    deps = [
        "@com_github_securego_gosec_v2//goanalysis",
        # add more analyzers as needed
    ],
    visibility = ["//visibility:public"],
)
Local Installation

gosec requires Go 1.25 or newer.

go install github.com/securego/gosec/v2/cmd/gosec@latest

Quick start

# Scan all packages in current module
gosec ./...

# Write JSON report
gosec -fmt json -out results.json ./...

# Write SARIF report for code scanning
gosec -fmt sarif -out results.sarif ./...
Exit codes
  • 0: scan finished without unsuppressed findings/errors
  • 1: at least one unsuppressed finding or processing error
  • Use -no-fail to always return 0

Usage

Gosec can be configured to only run a subset of rules, to exclude certain file paths, and produce reports in different formats. By default all rules will be run against the supplied input files. To recursively scan from the current directory you can supply ./... as the input argument.

Available rules

gosec includes rules across these categories:

  • G1xx: general secure coding issues (for example hardcoded credentials, unsafe usage, HTTP hardening, cookie security)
  • G2xx: injection risks in query/template/command construction
  • G3xx: file and path handling risks (permissions, traversal, temp files, archive extraction)
  • G4xx: crypto and TLS weaknesses
  • G5xx: blocklisted imports
  • G6xx: Go-specific correctness/security checks (for example range aliasing and slice bounds)
  • G7xx: taint analysis rules (SQL injection, command injection, path traversal, SSRF, XSS, log, SMTP injection, SSTI and unsafe deserialization)

For the full list, rule descriptions, and per-rule configuration, see RULES.md.

Retired rules
  • G105: Audit the use of math/big.Int.Exp - CVE is fixed
  • G307: Deferring a method which returns an error - causing more inconvenience than fixing a security issue, despite the details from this blog post
Selecting rules

By default, gosec will run all rules against the supplied file paths. It is however possible to select a subset of rules to run via the -include= flag, or to specify a set of rules to explicitly exclude using the -exclude= flag.

# Run a specific set of rules
$ gosec -include=G101,G203,G401 ./...

# Run everything except for rule G303
$ gosec -exclude=G303 ./...
CWE Mapping

Every issue detected by gosec is mapped to a CWE (Common Weakness Enumeration) which describes in more generic terms the vulnerability. The exact mapping can be found here.

Configuration

A number of global settings can be provided in a configuration file as follows:

{
    "global": {
        "nosec": "enabled",
        "audit": "enabled"
    }
}
  • nosec: this setting will overwrite all #nosec directives defined throughout the code base
  • audit: runs in audit mode which enables addition checks that for normal code analysis might be too nosy
# Run with a global configuration file
$ gosec -conf config.json .
Path-Based Rule Exclusions

Large repositories with multiple components may need different security rules for different paths. Use exclude-rules to suppress specific rules for specific paths.

Configuration File:

{
  "exclude-rules": [
    {
      "path": "cmd/.*",
      "rules": ["G204", "G304"]
    },
    {
      "path": "scripts/.*",
      "rules": ["*"]
    }
  ]
}

CLI Flag:

# Exclude G204 and G304 from cmd/ directory
gosec --exclude-rules="cmd/.*:G204,G304" ./...

# Exclude all rules from scripts/ directory  
gosec --exclude-rules="scripts/.*:*" ./...

# Multiple exclusions
gosec --exclude-rules="cmd/.*:G204,G304;test/.*:G101" ./...
Field Type Description
path string (regex) Regular expression matched against file paths
rules []string Rule IDs to exclude. Use * to exclude all rules
Rule Configuration

Some rules accept configuration flags as well; these flags are documented in RULES.md.

Go version

Some rules require a specific Go version which is retrieved from the Go module file present in the project. If this version cannot be found, it will fallback to Go runtime version.

The Go module version is parsed using the go list command which in some cases might lead to performance degradation. In this situation, the go module version can be easily provided by setting the environment variable GOSECGOVERSION=go1.21.1.

Dependencies

gosec loads packages using Go modules. In most projects, dependencies are resolved automatically during scanning.

If dependencies are missing, run:

go mod tidy
go mod download
Excluding test files and folders

gosec will ignore test files across all packages and any dependencies in your vendor directory.

The scanning of test files can be enabled with the following flag:

gosec -tests ./...

Also additional folders can be excluded as follows:

 gosec -exclude-dir=rules -exclude-dir=cmd ./...
Excluding generated files

gosec can ignore generated go files with default generated code comment.

// Code generated by some generator DO NOT EDIT.

gosec -exclude-generated ./...
Auto fixing vulnerabilities

gosec can suggest fixes based on AI recommendation. It will call an AI API to receive a suggestion for a security finding.

You can enable this feature by providing the following command line arguments:

  • ai-api-provider: the name of the AI API provider. Supported providers:
    • Gemini: gemini-2.5-pro, gemini-2.5-flash, gemini-2.5-flash-lite, gemini-2.0-flash, gemini-2.0-flash-lite (default)
    • Claude: claude-sonnet-4-0 (default), claude-opus-4-0, claude-opus-4-1, claude-sonnet-3-7
    • OpenAI: gpt-4o (default), gpt-4o-mini
    • Custom OpenAI-compatible: Any custom model name (requires ai-base-url)
  • ai-api-key or set the environment variable GOSEC_AI_API_KEY: the key to access the AI API
  • ai-base-url: (optional) custom base URL for OpenAI-compatible APIs (e.g., Azure OpenAI, LocalAI, Ollama)
  • ai-skip-ssl: (optional) skip SSL certificate verification for AI API (useful for self-signed certificates)

Examples:

# Using Gemini
gosec -ai-api-provider="gemini-2.0-flash" -ai-api-key="your_key" ./...

# Using Claude
gosec -ai-api-provider="claude-sonnet-4-0" -ai-api-key="your_key" ./...

# Using OpenAI
gosec -ai-api-provider="gpt-4o" -ai-api-key="your_key" ./...

# Using Azure OpenAI
gosec -ai-api-provider="gpt-4o" \
  -ai-api-key="your_azure_key" \
  -ai-base-url="https://your-resource.openai.azure.com/openai/deployments/your-deployment" \
  ./...

# Using local Ollama with custom model
gosec -ai-api-provider="llama3.2" \
  -ai-base-url="http://localhost:11434/v1" \
  ./...

# Using self-signed certificate API
gosec -ai-api-provider="custom-model" \
  -ai-api-key="your_key" \
  -ai-base-url="https://internal-api.company.com/v1" \
  -ai-skip-ssl \
  ./...
Annotating code

As with all automated detection tools, there will be cases of false positives. In cases where gosec reports a failure that has been manually verified as being safe, it is possible to annotate the code with a comment that starts with #nosec.

The #nosec comment should have the format #nosec [RuleList] [- Justification].

The #nosec comment needs to be placed on the line where the warning is reported.

func main() {
	tr := &http.Transport{
		TLSClientConfig: &tls.Config{
			InsecureSkipVerify: true, // #nosec G402
		},
	}

	client := &http.Client{Transport: tr}
	_, err := client.Get("https://go.dev/")
	if err != nil {
		fmt.Println(err)
	}
}

When a specific false positive has been identified and verified as safe, you may wish to suppress only that single rule (or a specific set of rules) within a section of code, while continuing to scan for other problems. To do this, you can list the rule(s) to be suppressed within the #nosec annotation, e.g: /* #nosec G401 */ or //#nosec G201 G202 G203

You could put the description or justification text for the annotation. The justification should be after the rule(s) to suppress and start with two or more dashes, e.g: //#nosec G101 G102 -- This is a false positive

Alternatively, gosec also supports the //gosec:disable directive, which functions similar to #nosec:

//gosec:disable G101 -- This is a false positive

In some cases you may also want to revisit places where #nosec or //gosec:disable annotations have been used. To run the scanner and ignore any #nosec annotations you can do the following:

gosec -nosec=true ./...
Tracking suppressions

As described above, we could suppress violations externally (using -include/ -exclude) or inline (using #nosec annotations). Suppression metadata can be emitted for auditing.

Enable suppression tracking with -track-suppressions:

gosec -track-suppressions -exclude=G101 -fmt=sarif -out=results.sarif ./...
  • For external suppressions, gosec records suppression info where kind is external and justification is Globally suppressed..
  • For inline suppressions, gosec records suppression info where kind is inSource and justification is the text after two or more dashes in the comment.

Note: Only SARIF and JSON formats support tracking suppressions.

Build tags

gosec is able to pass your Go build tags to the analyzer. They can be provided as a comma separated list as follows:

gosec -tags debug,ignore ./...
Output formats

gosec supports text, json, yaml, csv, junit-xml, html, sonarqube, golint, and sarif. By default, results will be reported to stdout, but can also be written to an output file. The output format is controlled by the -fmt flag, and the output file is controlled by the -out flag as follows:

# Write output in json format to results.json
$ gosec -fmt=json -out=results.json *.go

Use -stdout to print results while also writing -out. Use -verbose to override stdout format while preserving the file format.

# Write output in json format to results.json as well as stdout
$ gosec -fmt=json -out=results.json -stdout *.go

# Overrides the output format to 'text' when stdout the results, while writing it to results.json
$ gosec -fmt=json -out=results.json -stdout -verbose=text *.go

Note: gosec generates the generic issue import format for SonarQube, and a report has to be imported into SonarQube using sonar.externalIssuesReportPaths=path/to/gosec-report.json.

Common usage patterns

# Fail only on medium+ severity findings
gosec -severity medium ./...

# Fail only on medium+ confidence findings
gosec -confidence medium ./...

# Exclude specific rules for specific paths
gosec --exclude-rules="cmd/.*:G204,G304;scripts/.*:*" ./...

# Exclude generated files in scan
gosec -exclude-generated ./...

# Include test files in scan
gosec -tests ./...

Development

Development documentation was moved to DEVELOPMENT.md.

Who is using gosec?

This is a list with some of the gosec's users.

Sponsors

Support this project by becoming a sponsor. Your logo will show up here with a link to your website

Documentation

Overview

Package gosec holds the central scanning logic used by gosec security scanner

Index

Constants

View Source 
const (
	// Globals are applicable to all rules and used for general
	// configuration settings for gosec.
	Globals = "global"
	// ExcludeRulesKey is the config key for path-based rule exclusions
	ExcludeRulesKey = "exclude-rules"
)
View Source 
const LoadMode = packages.NeedName |
	packages.NeedFiles |
	packages.NeedCompiledGoFiles |
	packages.NeedImports |
	packages.NeedTypes |
	packages.NeedTypesSizes |
	packages.NeedTypesInfo |
	packages.NeedSyntax |
	packages.NeedModule |
	packages.NeedEmbedFiles |
	packages.NeedEmbedPatterns

LoadMode controls the amount of details to return when loading the packages

Variables

View Source 
var (
	ErrNoPackageTypeInfo = errors.New("package has no type information")
	ErrNilPackage        = errors.New("nil package provided")
)
View Source 
var (
	ErrUnexpectedASTNode     = errors.New("unexpected AST node type")
	ErrNoProjectRelativePath = errors.New("no project relative path found")
	ErrNoProjectAbsolutePath = errors.New("no project absolute path found")
)
View Source 
var GlobalCache = NewLRUCache[any, any](1 << 16)

GlobalCache is a shared LRU cache for expensive operations. Each use case should define its own named key type to avoid collisions.

Key type requirements:

  • The key type must be comparable (no slices, maps, or funcs)
  • Use type definitions (type MyKey struct{...}), not type aliases (type MyKey = ...)
  • Avoid anonymous structs - they collide if the structure matches

Functions

func CLIBuildTags added in v2.22.11 

func CLIBuildTags(buildTags []string) []string

CLIBuildTags converts a list of Go build tags into the corresponding CLI build flag (-tags=form) by trimming whitespace, removing empty entries, and joining them into a comma-separated -tags argument for use with go build commands.

func ConcatString 

func ConcatString(expr ast.Expr, ctx *Context) (string, bool)

ConcatString recursively concatenates constant strings from an expression if the entire chain is fully constant-derived (using TryResolve). Returns the concatenated string and true if successful.

func ContainingFile added in v2.23.0 

func ContainingFile(p interface{ Pos() token.Pos }, ctx *Context) *ast.File

ContainingFile returns the *ast.File from ctx.PkgFiles that contains the given position provider. A position provider can be an ast.Node, a types.Object, or any type with a Pos() token.Pos method. Returns nil if not found or if the provider is nil/invalid.

func ExcludedDirsRegExp 

func ExcludedDirsRegExp(excludedDirs []string) []*regexp.Regexp

ExcludedDirsRegExp builds the regexps for a list of excluded dirs provided as strings

func FindModuleRoot added in v2.24.0 

func FindModuleRoot(dir string) string

FindModuleRoot returns the directory containing the go.mod file that governs the given directory. It walks upward from dir until it finds a go.mod file or reaches the filesystem root. Returns "" if no go.mod is found.

This is needed to correctly load packages in multi-module repositories: without setting packages.Config.Dir to the module root, packages.Load uses the current working directory for module resolution, which fails when the CWD belongs to a different module than the package being loaded.

func FindVarIdentities 

func FindVarIdentities(n *ast.BinaryExpr, c *Context) ([]*ast.Ident, bool)

FindVarIdentities returns array of all variable identities in a given binary expression

func GetBinaryExprOperands added in v2.4.0 

func GetBinaryExprOperands(be *ast.BinaryExpr) []ast.Node

GetBinaryExprOperands returns all operands of a binary expression by traversing the expression tree

func GetCallInfo 

func GetCallInfo(n ast.Node, ctx *Context) (string, string, error)

GetCallInfo returns the package or type and name associated with a call expression.

func GetCallObject 

func GetCallObject(n ast.Node, ctx *Context) (*ast.CallExpr, types.Object)

GetCallObject returns the object and call expression and associated object for a given AST node. nil, nil will be returned if the object cannot be resolved.

func GetCallStringArgsValues 

func GetCallStringArgsValues(n ast.Node, _ *Context) []string

GetCallStringArgsValues returns the values of strings arguments if they can be resolved

func GetChar 

func GetChar(n ast.Node) (byte, error)

GetChar will read and return a char value from an ast.BasicLit

func GetFloat 

func GetFloat(n ast.Node) (float64, error)

GetFloat will read and return a float value from an ast.BasicLit

func GetIdentStringValues 

func GetIdentStringValues(ident *ast.Ident) []string

GetIdentStringValues return the string values of an Ident if they can be resolved

func GetIdentStringValuesRecursive added in v2.17.0 

func GetIdentStringValuesRecursive(ident *ast.Ident) []string

GetIdentStringValuesRecursive returns the string of values of an Ident if they can be resolved The difference between this and GetIdentStringValues is that it will attempt to resolve the strings recursively, if it is passed a *ast.BinaryExpr. See GetStringRecursive for details

func GetImportPath 

func GetImportPath(name string, ctx *Context) (string, bool)

GetImportPath resolves the full import path of an identifier based on the imports in the current context(including aliases).

func GetImportedNames added in v2.14.0 

func GetImportedNames(path string, ctx *Context) (names []string, found bool)

GetImportedNames returns the name(s)/alias(es) used for the package within the code. It ignores initialization-only imports.

func GetInt 

func GetInt(n ast.Node) (int64, error)

GetInt will read and return an integer value from an ast.BasicLit

func GetLocation 

func GetLocation(n ast.Node, ctx *Context) (string, int)

GetLocation returns the filename and line number of an ast.Node

func GetPkgAbsPath 

func GetPkgAbsPath(pkgPath string) (string, error)

GetPkgAbsPath returns the Go package absolute path derived from the given path

func GetPkgRelativePath 

func GetPkgRelativePath(path string) (string, error)

GetPkgRelativePath returns the Go relative path derived form the given path

func GetString 

func GetString(n ast.Node) (string, error)

GetString will read and return a string value from an ast.BasicLit

func GetStringRecursive added in v2.17.0 

func GetStringRecursive(n ast.Node) (string, error)

func Getenv 

func Getenv(key, userDefault string) string

Getenv returns the values of the environment variable, otherwise returns the default if variable is not set

func GoVersion added in v2.12.0 

func GoVersion() (int, int, int)

GoVersion returns parsed version of Go mod version and fallback to runtime version if not found.

func Gopath 

func Gopath() []string

Gopath returns all GOPATHs

func MatchCallByPackage 

func MatchCallByPackage(n ast.Node, c *Context, pkg string, names ...string) (*ast.CallExpr, bool)

MatchCallByPackage ensures that the specified package is imported, adjusts the name for any aliases and ignores cases that are initialization only imports.

Usage: 

node, matched := MatchCallByPackage(n, ctx, "math/rand", "Read")

func MatchCompLit 

func MatchCompLit(n ast.Node, ctx *Context, required string) *ast.CompositeLit

MatchCompLit will match an ast.CompositeLit based on the supplied type

func NoSecTag added in v2.17.0 

func NoSecTag(tag string) string

NoSecTag returns the tag used to disable gosec for a line of code.

func PackagePaths 

func PackagePaths(root string, excludes []*regexp.Regexp) ([]string, error)

PackagePaths returns a slice with all packages path at given root directory

func ParseErrors added in v2.23.0 

func ParseErrors(pkg *packages.Package) (map[string][]Error, error)

ParseErrors parses errors from the package and returns them as a map.

func RegexMatchWithCache added in v2.23.0 

func RegexMatchWithCache(re *regexp.Regexp, s string) bool

RegexMatchWithCache returns the result of re.MatchString(s), using GlobalCache to store previous results for improved performance on repeated lookups.

func RootPath 

func RootPath(root string) (string, error)

RootPath returns the absolute root path of a scan

func TryResolve 

func TryResolve(n ast.Node, c *Context) bool

TryResolve will attempt, given a subtree starting at some AST node, to resolve all values contained within to a known constant. It is used to check for any unknown values in compound expressions.

Types

type Analyzer 

type Analyzer struct {
	// contains filtered or unexported fields
}

Analyzer object is the main object of gosec. It has methods to load and analyze packages, traverse ASTs, and invoke the correct checking rules on each node as required.

func NewAnalyzer 

func NewAnalyzer(conf Config, tests bool, excludeGenerated bool, trackSuppressions bool, concurrency int, logger *log.Logger) *Analyzer

NewAnalyzer builds a new analyzer.

func (*Analyzer) AppendError 

func (gosec *Analyzer) AppendError(file string, err error)

AppendError appends an error to the file errors

func (*Analyzer) CheckAnalyzers added in v2.16.0 

func (gosec *Analyzer) CheckAnalyzers(pkg *packages.Package)

CheckAnalyzers runs analyzers on a given package.

func (*Analyzer) CheckAnalyzersWithSSA added in v2.23.0 

func (gosec *Analyzer) CheckAnalyzersWithSSA(pkg *packages.Package, ssaResult *buildssa.SSA)

CheckAnalyzersWithSSA runs analyzers on a given package using an existing SSA result.

func (*Analyzer) CheckRules added in v2.16.0 

func (gosec *Analyzer) CheckRules(pkg *packages.Package)

CheckRules runs analysis on the given package.

func (*Analyzer) Config 

func (gosec *Analyzer) Config() Config

Config returns the current configuration

func (*Analyzer) LoadAnalyzers added in v2.21.0 

func (gosec *Analyzer) LoadAnalyzers(analyzerDefinitions map[string]analyzers.AnalyzerDefinition, analyzerSuppressed map[string]bool)

LoadAnalyzers instantiates all the analyzers to be used when analyzing source packages

func (*Analyzer) LoadRules 

func (gosec *Analyzer) LoadRules(ruleDefinitions map[string]RuleBuilder, ruleSuppressed map[string]bool)

LoadRules instantiates all the rules to be used when analyzing source packages

func (*Analyzer) Process 

func (gosec *Analyzer) Process(buildTags []string, packagePaths ...string) error

Process kicks off the analysis process for a given package

func (*Analyzer) Report 

func (gosec *Analyzer) Report() ([]*issue.Issue, *Metrics, map[string][]Error)

Report returns the current issues discovered and the metrics about the scan

func (*Analyzer) Reset 

func (gosec *Analyzer) Reset()

Reset clears state such as context, issues and metrics from the configured analyzer

func (*Analyzer) SetConfig 

func (gosec *Analyzer) SetConfig(conf Config)

SetConfig updates the analyzer configuration

type CallList 

type CallList map[string]set

CallList is used to check for usage of specific packages and functions.

func NewCallList 

func NewCallList() CallList

NewCallList creates a new empty CallList

func (CallList) Add 

func (c CallList) Add(selector, ident string)

Add a selector and call to the call list

func (CallList) AddAll 

func (c CallList) AddAll(selector string, idents ...string)

AddAll will add several calls to the call list at once

func (CallList) Contains 

func (c CallList) Contains(selector, ident string) bool

Contains returns true if the package and function are members of this call list.

func (CallList) ContainsCallExpr 

func (c CallList) ContainsCallExpr(n ast.Node, ctx *Context) *ast.CallExpr

ContainsCallExpr resolves the call expression name and type, and then determines if the call exists with the call list

func (CallList) ContainsPkgCallExpr 

func (c CallList) ContainsPkgCallExpr(n ast.Node, ctx *Context, stripVendor bool) *ast.CallExpr

ContainsPkgCallExpr resolves the call expression name and type, and then further looks up the package path for that type. Finally, it determines if the call exists within the call list

func (CallList) ContainsPointer 

func (c CallList) ContainsPointer(selector, indent string) bool

ContainsPointer returns true if a pointer to the selector type or the type itself is a members of this call list.

type Config 

type Config map[string]interface{}

Config is used to provide configuration and customization to each of the rules.

func NewConfig 

func NewConfig() Config

NewConfig initializes a new configuration instance. The configuration data then needs to be loaded via c.ReadFrom(strings.NewReader("config data")) or from a *os.File.

func (Config) Get 

func (c Config) Get(section string) (interface{}, error)

Get returns the configuration section for the supplied key

func (Config) GetExcludeRules added in v2.23.0 

func (c Config) GetExcludeRules() ([]PathExcludeRule, error)

GetExcludeRules retrieves the path-based exclusion rules from the configuration. Returns nil if no exclusion rules are configured.

func (Config) GetGlobal 

func (c Config) GetGlobal(option GlobalOption) (string, error)

GetGlobal returns value associated with global configuration option

func (Config) IsGlobalEnabled 

func (c Config) IsGlobalEnabled(option GlobalOption) (bool, error)

IsGlobalEnabled checks if a global option is enabled

func (Config) ReadFrom 

func (c Config) ReadFrom(r io.Reader) (int64, error)

ReadFrom implements the io.ReaderFrom interface. This should be used with io.Reader to load configuration from file or from string etc.

func (Config) Set 

func (c Config) Set(section string, value interface{})

Set section in the configuration to specified value

func (Config) SetExcludeRules added in v2.23.0 

func (c Config) SetExcludeRules(rules []PathExcludeRule)

SetExcludeRules sets the path-based exclusion rules in the configuration.

func (Config) SetGlobal 

func (c Config) SetGlobal(option GlobalOption, value string)

SetGlobal associates a value with a global configuration option

func (Config) WriteTo 

func (c Config) WriteTo(w io.Writer) (int64, error)

WriteTo implements the io.WriteTo interface. This should be used to save or print out the configuration information.

type Context 

type Context struct {
	FileSet      *token.FileSet
	Comments     ast.CommentMap
	Info         *types.Info
	Pkg          *types.Package
	PkgFiles     []*ast.File
	Root         *ast.File
	Imports      *ImportTracker
	Config       Config
	Ignores      ignores
	PassedValues map[string]any
	// contains filtered or unexported fields
}

The Context is populated with data parsed from the source code as it is scanned. It is passed through to all rule functions as they are called. Rules may use this data in conjunction with the encountered AST node.

func (*Context) GetFileAtNodePos added in v2.16.0 

func (ctx *Context) GetFileAtNodePos(node ast.Node) *token.File

GetFileAtNodePos returns the file at the node position in the file set available in the context.

func (*Context) NewIssue added in v2.16.0 

func (ctx *Context) NewIssue(node ast.Node, ruleID, desc string,
	severity, confidence issue.Score,
) *issue.Issue

NewIssue creates a new issue

type Error 

type Error struct {
	Line   int    `json:"line"`
	Column int    `json:"column"`
	Err    string `json:"error"`
}

Error is used when there are golang errors while parsing the AST

func NewError 

func NewError(line, column int, err string) *Error

NewError creates Error object

type GlobalOption 

type GlobalOption string

GlobalOption defines the name of the global options 

const (
	// Nosec global option for #nosec directive
	Nosec GlobalOption = "nosec"
	// ShowIgnored defines whether nosec issues are counted as finding or not
	ShowIgnored GlobalOption = "show-ignored"
	// Audit global option which indicates that gosec runs in audit mode
	Audit GlobalOption = "audit"
	// NoSecAlternative global option alternative for #nosec directive
	NoSecAlternative GlobalOption = "#nosec"
	// ExcludeRules global option for some rules  should not be load
	ExcludeRules GlobalOption = "exclude"
	// IncludeRules global option for  should be load
	IncludeRules GlobalOption = "include"
	// SSA global option to enable go analysis framework with SSA support
	SSA GlobalOption = "ssa"
)

type ImportTracker 

type ImportTracker struct {
	// Imported is a map of Imported with their associated names/aliases.
	Imported map[string][]string
}

ImportTracker is used to normalize the packages that have been imported by a source file. It is able to differentiate between plain imports, aliased imports and init only imports.

func NewImportTracker 

func NewImportTracker() *ImportTracker

NewImportTracker creates an empty Import tracker instance

func (*ImportTracker) TrackFile 

func (t *ImportTracker) TrackFile(file *ast.File)

TrackFile track all the imports used by the supplied file

func (*ImportTracker) TrackImport 

func (t *ImportTracker) TrackImport(imported *ast.ImportSpec)

TrackImport tracks imports.

func (*ImportTracker) TrackPackages 

func (t *ImportTracker) TrackPackages(pkgs ...*types.Package)

TrackPackages tracks all the imports used by the supplied packages

type LRUCache added in v2.23.0 

type LRUCache[K comparable, V any] struct {
	// contains filtered or unexported fields
}

LRUCache is a simple thread-safe generic LRU cache.

func NewLRUCache added in v2.23.0 

func NewLRUCache[K comparable, V any](capacity int) *LRUCache[K, V]

NewLRUCache creates a new thread-safe LRU cache with the given capacity.

func (*LRUCache[K, V]) Add added in v2.23.0 

func (c *LRUCache[K, V]) Add(key K, value V)

Add inserts or updates a key-value pair in the cache. If the key exists, its value is updated and moved to the front. If the cache is full, the least recently used entry is evicted.

func (*LRUCache[K, V]) Get added in v2.23.0 

func (c *LRUCache[K, V]) Get(key K) (V, bool)

Get retrieves a value from the cache. Returns the value and true if found, or the zero value and false if not found. Moves the entry to the front of the LRU list.

type Metrics 

type Metrics struct {
	NumFiles int `json:"files"`
	NumLines int `json:"lines"`
	NumNosec int `json:"nosec"`
	NumFound int `json:"found"`
}

Metrics used when reporting information about a scanning run.

func (*Metrics) Merge added in v2.23.0 

func (m *Metrics) Merge(other *Metrics)

Merge merges the metrics from another Metrics object into this one.

type PathExcludeRule added in v2.23.0 

type PathExcludeRule struct {
	Path  string   `json:"path"`  // Regex pattern for matching file paths
	Rules []string `json:"rules"` // Rule IDs to exclude. Use "*" to exclude all rules
}

PathExcludeRule defines rules to exclude for specific file paths

func MergeExcludeRules added in v2.23.0 

func MergeExcludeRules(configRules, cliRules []PathExcludeRule) []PathExcludeRule

MergeExcludeRules combines exclude rules from multiple sources (config file + CLI). CLI rules take precedence and are processed first.

func ParseCLIExcludeRules added in v2.23.0 

func ParseCLIExcludeRules(input string) ([]PathExcludeRule, error)

ParseCLIExcludeRules parses the CLI format for exclude-rules. Format: "path:rule1,rule2;path2:rule3,rule4" Example: "cmd/.*:G204,G304;test/.*:G101"

type PathExclusionFilter added in v2.23.0 

type PathExclusionFilter struct {
	// contains filtered or unexported fields
}

PathExclusionFilter handles filtering of issues based on path and rule combinations

func NewPathExclusionFilter added in v2.23.0 

func NewPathExclusionFilter(rules []PathExcludeRule) (*PathExclusionFilter, error)

NewPathExclusionFilter creates a new filter from the provided exclusion rules. Returns an error if any path regex is invalid.

func (*PathExclusionFilter) FilterIssues added in v2.23.0 

func (f *PathExclusionFilter) FilterIssues(issues []*issue.Issue) ([]*issue.Issue, int)

FilterIssues applies path-based exclusions to a slice of issues. Returns the filtered issues and the count of excluded issues.

func (*PathExclusionFilter) ShouldExclude added in v2.23.0 

func (f *PathExclusionFilter) ShouldExclude(filePath, ruleID string) bool

ShouldExclude returns true if the given issue should be excluded based on its file path and rule ID

func (*PathExclusionFilter) String added in v2.23.0 

func (f *PathExclusionFilter) String() string

String returns a human-readable representation of the filter

type ReportInfo added in v2.8.0 

type ReportInfo struct {
	Errors       map[string][]Error `json:"Golang errors"`
	Issues       []*issue.Issue
	Stats        *Metrics
	GosecVersion string
}

ReportInfo this is report information

func NewReportInfo added in v2.8.0 

func NewReportInfo(issues []*issue.Issue, metrics *Metrics, errors map[string][]Error) *ReportInfo

NewReportInfo instantiate a ReportInfo

func (*ReportInfo) WithVersion added in v2.8.0 

func (r *ReportInfo) WithVersion(version string) *ReportInfo

WithVersion defines the version of gosec used to generate the report

type Rule 

type Rule interface {
	ID() string
	Match(ast.Node, *Context) (*issue.Issue, error)
}

The Rule interface used by all rules supported by gosec.

type RuleBuilder 

type RuleBuilder func(id string, c Config) (Rule, []ast.Node)

RuleBuilder is used to register a rule definition with the analyzer

type RuleSet 

type RuleSet struct {
	Rules             map[reflect.Type][]Rule
	RuleSuppressedMap map[string]bool
}

A RuleSet contains a mapping of lists of rules to the type of AST node they should be run on and a mapping of rule ID's to whether the rule are suppressed. The analyzer will only invoke rules contained in the list associated with the type of AST node it is currently visiting.

func NewRuleSet 

func NewRuleSet() RuleSet

NewRuleSet constructs a new RuleSet

func (RuleSet) IsRuleSuppressed added in v2.9.4 

func (r RuleSet) IsRuleSuppressed(ruleID string) bool

IsRuleSuppressed will return whether the rule is suppressed.

func (RuleSet) Register 

func (r RuleSet) Register(rule Rule, isSuppressed bool, nodes ...ast.Node)

Register adds a trigger for the supplied rule for the specified ast nodes.

func (RuleSet) RegisteredFor 

func (r RuleSet) RegisteredFor(n ast.Node) []Rule

RegisteredFor will return all rules that are registered for a specified ast node.

Source Files

View all Source files

Directories

Path Synopsis
cmd
gosec command
gosecutil command
tlsconfig command
vflag
Package goanalysis provides a standard golang.org/x/tools/go/analysis.Analyzer for gosec.
 Package goanalysis provides a standard golang.org/x/tools/go/analysis.Analyzer for gosec.
internal
ssautil
Package ssautil provides shared SSA analysis utilities for gosec analyzers.
 Package ssautil provides shared SSA analysis utilities for gosec analyzers.
csv
golint
html
json
junit
sarif
sonar
text
yaml
Package taint provides a minimal taint analysis engine for gosec.
 Package taint provides a minimal taint analysis engine for gosec.
testutils/g117_samples.go
 testutils/g117_samples.go

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.