🛠 GoSec Checker

Salut, let's continue and look at the analyzer that you definitely need if you write or test in golang.

The tool scans AST and SSA to detect vulnerabilities that grep-based scanners miss. Finds unsafe queries to the database, Path Traversal, hardcoded secrets, tokens, keys, etc., and is also capable of taint analysis, that is, searching from user input to sink. Works out-of-the-box. Output formats - JSON, SARIF, JUnit XML, HTML, md type gosec -fmt=json -out=report.json ./...

Teams

brew install gosec

# Via go install

go install github.com/securego/gosec/v2/cmd/gosec@latest

# Scan a specific package

gosec ./cmd/server/...

# Scan with detail

gosec -verbose=text ./...

# Specific rules only

gosec -include=G101,G201,G401 ./...

# Exclude specific rules

gosec -exclude=G104,G304 ./...

# Only high vulnerabilities

gosec -severity=high ./...

Configuration .gosec.json

{

"exclude": ["G104", "G304"],

"severity": "medium",

"confidence": "medium",

"exclude-dirs": [

"vendor"

"test"

],

"global": {

"nosec": "enabled",

"audit": "enabled"

}

}

Path Traversal Example

func ReadFile(filename string) ([]byte, error) {

return ioutil.ReadFile("/data/" + filename)

// The attacker can send: ../../etc/passwd

}

CI/CD

name: Gosec Security Scan

on:

push:

branches: [main, develop]

pull_request:

branches: [main]

jobs:

gosec:

runs-on: ubuntu-latest

steps:

- uses: actions/checkout@v4

- uses: actions/setup-go@v5

with:

go-version: '1.22'

- name: Run Gosec

uses: securego/gosec@master

with:

args: '-fmt sarif -out gosec.sarif ./...'

- name: Upload SARIF

uses: github/codeql-action/upload-sarif@v3

with:

sarif_file: gosec.sarif

A useful feature in the form of metrics

# Get the number of finds by severity

gosec -fmt=json ./... | jq '.Stats.num_issues'

# Top 5 rules with the most hits

gosec -fmt=json ./... | jq '.Issues | group_by(.rule_id) | map({rule: .[0].rule_id, count: length}) | sort_by(.count) | reverse | .[0:5]'

Total:

• Some rules, for example G104 ("errors.go") generate a huge number of warnings when scanned in standard project code

• Built-in credentials search rules can return FP to comments and text strings in code

• Gosec ruleset support is available in the Semgrep tool, which calls into question the use of two different tools

• Can be reused instead of several tools as a single sign-on if you have a golang-only database

• Maximum simple and user friendly

• Zero Config and works out of the box

• Not a policy engine, therefore, does not implement a policy-as-code approach

• Limited ability to support policies as a Security Gate tool

• Parses AST code using the standard "go-ast" package and applies a set of built-in rules to search for unsafe patterns

• The tool has 40 basic rules

• It is possible to exclude rules from scanning, as well as configure them using the configuration file "gosec.json"

Footnote

• AST - Abstract Syntax Tree: - tree-like representation of the structure of the source code, that is, “What is written”

FuncDecl

├── Name: "add"

├── Params: [a int, b int]

├── Results: [int]

└──Body:

└──ReturnStmt

└── BinaryExpr (+)

├── Ident: "a"

└── Ident: "b"

• SSA - Static Single Assignment: an intermediate representation where for each variable there is a one-time assignment, that is, “from where and to”

#toolchain #sast #appsec #reco #techsolution #term