Skip to content

Commit

Permalink
Rule documentation updates (#1272)
Browse files Browse the repository at this point in the history
  • Loading branch information
@dannyc-grafana
dannyc-grafana authored Dec 17, 2024
1 parent 92de0ee commit e21b4d4
Show file tree
Hide file tree
Showing 2 changed files with 63 additions and 23 deletions.
25 changes: 2 additions & 23 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -211,30 +211,9 @@ A number of global settings can be provided in a configuration file as follows:
$ gosec -conf config.json .
```

Also some rules accept configuration. For instance on rule `G104`, it is possible to define packages along with a list
of functions which will be skipped when auditing the not checked errors:
#### Rule Configuration

```JSON
{
"G104": {
"ioutil": ["WriteFile"]
}
}
```

You can also configure the hard-coded credentials rule `G101` with additional patterns, or adjust the entropy threshold:

```JSON
{
"G101": {
"pattern": "(?i)passwd|pass|password|pwd|secret|private_key|token",
"ignore_entropy": false,
"entropy_threshold": "80.0",
"per_char_threshold": "3.0",
"truncate": "32"
}
}
```
Some rules accept configuration flags as well; these flags are documented in [RULES.md](https://github.com/securego/gosec/blob/master/RULES.md).

#### Go version

Expand Down
61 changes: 61 additions & 0 deletions RULES.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
# Rule Documentation

## Rules accepting parameters

As [README.md](https://github.com/securego/gosec/blob/master/README.md) mentions, some rules can be configured by adding parameters to the gosec JSON config. Per rule configs are encoded as top level objects in the gosec config, with the rule ID (`Gxxx`) as the key.

Currently, the following rules accept parameters. This list is manually maintained; if you notice an omission please add it!

### G101

The hard-coded credentials rule `G101` can be configured with additional patterns, and the entropy threshold can be adjusted:

```JSON
{
"G101": {
"pattern": "(?i)passwd|pass|password|pwd|secret|private_key|token",
"ignore_entropy": false,
"entropy_threshold": "80.0",
"per_char_threshold": "3.0",
"truncate": "32"
}
}
```

### G104

The unchecked error value rule `G104` can be configured with additional functions that should be permitted to be called without checking errors.

```JSON
{
"G104": {
"ioutil": ["WriteFile"]
}
}
```

### G111

The HTTP Directory serving rule `G111` can be configured with a different regex for detecting potentially overly permissive servers. Note that this *replaces* the default pattern of `http\.Dir\("\/"\)|http\.Dir\('\/'\)`.

```JSON
{
"G111": {
"pattern": "http\\.Dir\\(\"\\\/\"\\)|http\\.Dir\\('\\\/'\\)"
}
}

```

### G301, G302, G306, G307

The various file and directory permission checking rules can be configured with a different maximum allowable file permission.

```JSON
{
"G301":"0o600",
"G302":"0o600",
"G306":"0o750",
"G307":"0o750"
}
```

0 comments on commit e21b4d4

Please sign in to comment.