Gosec is a great tool to run our Go code and ensure that we have no security issues. To keep the post short, I won't explain the security issues, my focus will be to show you how to run the tool. Maybe in the future, I can write about the issues, right now if you want to understand more, please read this post
gosec - Go Security Checker
Inspects source code for security problems by scanning the Go AST and SSA code representation.
License
Licensed under the Apache License, Version 2.0 (the "License") You may not use this file except in compliance with the License. You may obtain a copy of the License here.
Project status
Install
CI Installation
# binary will be $(go env GOPATH)/bin/gosec
curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s -- -b $(go env GOPATH)/bin vX.Y.Z
# or install it into ./bin/
curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s vX.Y.Z
# In alpine linux (as it does not come with curl by default)
wget -O - -q https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s vX.Y.Z
# If you want to use the checksums provided on the "Releases" page
# then you will have to download a tar.gz file for your operating system instead of a binary file
wget https://github.com/securego/gosec/releases/download/vX.Y.Z/gosec_vX.Y.Z_OS.tar.gz
# The
…You can run the tool using a binary or using Docker. I'll show both cases to you.
Using binary you need to run into your root directory:
gosec *.go
Using docker, it needs more config, but it works well. In the readme the command is securego/gosec ./..., it didn't work to me, so I replaced ./... to projet-path
docker run -it -v $GOPATH/src/<YOUR PROJECT PATH>:/go/src/<YOUR PROJECT PATH> securego/gosec $GOPATH/src/<YOUR PROJECT PATH>
Even if you use go module, you need to use this format to run the tool.
that's all folks, I hope it can be useful to you =)
Top comments (4)
Gosec is great!
Because you like gosec, you also may find the GitHub app GuardRails useful.
GuardRails leverages a bunch of security tools, such as gosec, and provides the scan results directly in a Pull Request comment.
Installation is easy, you just have to install the GuardRails GitHub app and select the repositories that you want to have covered.
Check it out :)
Great tool, I'll try =)
thank you
Cool, seems very useful! Thanks Renato.
You should add the following tag so it ends up in there:
#githunt
Added, Thanks rhymes =)