DEV Community

Cover image for Golang Security Checker
Renato Suero
Renato Suero

Posted on

Golang Security Checker

Gosec is a great tool to run our Go code and ensure that we have no security issues. To keep the post short, I won't explain the security issues, my focus will be to show you how to run the tool. Maybe in the future, I can write about the issues, right now if you want to understand more, please read this post

GitHub logo securego / gosec

Golang security checker

gosec - Golang Security Checker

Inspects source code for security problems by scanning the Go AST.

License

Licensed under the Apache License, Version 2.0 (the "License") You may not use this file except in compliance with the License You may obtain a copy of the License here.

Project status

CII Best Practices Build Status Coverage Status GoReport GoDoc Docs Downloads Docker Pulls Slack

Install

CI Installation

# binary will be $(go env GOPATH)/bin/gosec
curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s -- -b $(go env GOPATH)/bin vX.Y.Z
# or install it into ./bin/
curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s vX.Y.Z

# In alpine linux (as it does not come with curl by default)
wget -O - -q https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s vX.Y.Z

# If you want to use the checksums provided on the "Releases" page
# then you will have to download a tar.gz file for your operating system instead of a binary file
wget https://github.com/securego/gosec/releases/download/vX.Y.Z/gosec_vX.Y.Z_OS.tar.gz

# The file will be in
Enter fullscreen mode Exit fullscreen mode

You can run the tool using a binary or using Docker. I'll show both cases to you.
Using binary you need to run into your root directory:

gosec *.go
Enter fullscreen mode Exit fullscreen mode

Using docker, it needs more config, but it works well. In the readme the command is securego/gosec ./..., it didn't work to me, so I replaced ./... to projet-path

docker run -it -v $GOPATH/src/<YOUR PROJECT PATH>:/go/src/<YOUR PROJECT PATH> securego/gosec $GOPATH/src/<YOUR PROJECT PATH>
Enter fullscreen mode Exit fullscreen mode

Even if you use go module, you need to use this format to run the tool.

that's all folks, I hope it can be useful to you =)

Discussion (4)

Collapse
streichsbaer profile image
Stefan Streichsbier

Gosec is great!

Because you like gosec, you also may find the GitHub app GuardRails useful.

GuardRails leverages a bunch of security tools, such as gosec, and provides the scan results directly in a Pull Request comment.

Installation is easy, you just have to install the GuardRails GitHub app and select the repositories that you want to have covered.

Check it out :)

Collapse
renatosuero profile image
Renato Suero Author

Great tool, I'll try =)
thank you

Collapse
rhymes profile image
rhymes

Cool, seems very useful! Thanks Renato.

You should add the following tag so it ends up in there:

#githunt

Interesting open source repos you've discovered and want to share with the community.
Collapse
renatosuero profile image
Renato Suero Author

Added, Thanks rhymes =)