gosec分析Go源代码以查找可能导致安全问题的常见编程错误。
它通过扫描Go AST检查源代码是否存在安全问题。
https://github.com/securego/gosec
gosec v2.4.0
gosec - Golang security checker gosec analyzes Go source code to look for common programming mistakes that can lead to security problems. 用法: # 检查单个程序包 $ gosec $GOPATH/src/github.com/example/project # 检查当前目录下的所有程序包并将结果保存为JSON格式 $ gosec -fmt=json -out=results.json ./... # 运行一组特定的规则 (默认情况下将运行所有的规则): $ gosec -include=G101,G203,G401 ./... # 运行除了提供的之外的所有规则 $ gosec -exclude=G101 $GOPATH/src/github.com/example/project/... 选项: -conf string 可选配置文件的路径 -confidence string 以低于给定值的置信度筛选出问题 有效选项包括: low, medium, high (default "low") -exclude string 以逗号分隔的要排除的规则ID列表 请参阅"规则"列表 -exclude-dir value 从扫描中排除目录 可以多次指定 -fmt string 设置输出格式 有效选项包括: json, yaml, csv, junit-xml, html, sonarqube, golint or text (default "text") -include string 以逗号分隔的要包含的规则ID列表 请参阅"规则"列表 -log string 将消息记录到文件而不是标准错误 -no-fail 即使发现问题也不要使扫描失败 -nosec 设置时忽略"#nosec"注释 -nosec-tag string 为"#nosec"设置替代字符串 一些例子: #dontanalyze, #falsepositive -out string 设置结果的输出文件 -quiet 仅在发现错误时显示输出 -severity string 筛选出严重性低于给定值的问题 有效选项包括: low, medium, high (default "low") -sort 按严重性对问题进行排序 (default true) -tags string 以逗号分隔的构建标记列表 -tests 扫描测试文件 -version 打印版本并退出 退出代码为0 规则: G101: Look for hardcoded credentials G102: Bind to all interfaces G103: Audit the use of unsafe block G104: Audit errors not checked G106: Audit the use of ssh.InsecureIgnoreHostKey function G107: Url provided to HTTP request as taint input G108: Profiling endpoint is automatically exposed G109: Converting strconv.Atoi result to int32/int16 G110: Detect io.Copy instead of io.CopyN when decompression G201: SQL query construction using format string G202: SQL query construction using string concatenation G203: Use of unescaped data in HTML templates G204: Audit use of command execution G301: Poor file permissions used when creating a directory G302: Poor file permissions used when creation file or using chmod G303: Creating tempfile using a predictable path G304: File path provided as taint input G305: File path traversal when extracting zip archive G306: Poor file permissions used when writing to a file G307: Unsafe defer call of a method returning an error G401: Detect the usage of DES, RC4, MD5 or SHA1 G402: Look for bad TLS connection settings G403: Ensure minimum RSA key length of 2048 bits G404: Insecure random number source (rand) G501: Import blocklist: crypto/md5 G502: Import blocklist: crypto/des G503: Import blocklist: crypto/rc4 G504: Import blocklist: net/http/cgi G505: Import blocklist: crypto/sha1 G601: Implicit memory aliasing in RangeStmt