Gosec is a great tool to run our Go code and ensure that we have no security issues. To keep the post short, I won't explain the security issues, my focus will be to show you how to run the tool. Maybe in the future, I can write about the issues, right now if you want to understand more, please read this post
gosec - Golang Security Checker
Inspects source code for security problems by scanning the Go AST.
Licensed under the Apache License, Version 2.0 (the "License") you may not use this file except in compliance with the License You may obtain a copy of the License here.
# binary will be $GOPATH/bin/gosec curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s -- -b $GOPATH/bin vX.Y.Z # or install it into ./bin/ curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s vX.Y.Z # In alpine linux (as it does not come with curl by default) wget -O - -q https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s vX.Y.Z gosec --help
$ go get github.com/securego/gosec/cmd/gosec/...
Gosec can be configured to only run a subset of rules, to exclude certain file paths, and produce reports in different formats. By default all rules will be run against the supplied input files. To recursively scan…
You can run the tool using a binary or using Docker. I'll show both cases to you.
Using binary you need to run into your root directory:
Using docker, it needs more config, but it works well. In the readme the command is securego/gosec ./..., it didn't work to me, so I replaced ./... to projet-path
docker run -it -v $GOPATH/src/<YOUR PROJECT PATH>:/go/src/<YOUR PROJECT PATH> securego/gosec $GOPATH/src/<YOUR PROJECT PATH>
Even if you use go module, you need to use this format to run the tool.
that's all folks, I hope it can be useful to you =)