loading...
Cover image for Golang Security Checker

Golang Security Checker

renatosuero profile image Renato Suero ・1 min read

Gosec is a great tool to run our Go code and ensure that we have no security issues. To keep the post short, I won't explain the security issues, my focus will be to show you how to run the tool. Maybe in the future, I can write about the issues, right now if you want to understand more, please read this post

GitHub logo securego / gosec

Golang security checker

gosec - Golang Security Checker

Inspects source code for security problems by scanning the Go AST.

License

Licensed under the Apache License, Version 2.0 (the "License") You may not use this file except in compliance with the License You may obtain a copy of the License here.

Project status

CII Best Practices Build Status Coverage Status GoReport GoDoc Docs Downloads Docker Pulls Slack

Install

CI Installation

# binary will be $GOPATH/bin/gosec
curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s -- -b $GOPATH/bin vX.Y.Z
# or install it into ./bin/
curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s vX.Y.Z
# In alpine linux (as it does not come with curl by default)
wget -O - -q https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s vX.Y.Z

# If you want to use the checksums provided on the "Releases" page
# then you will have to download a tar.gz file for your operating system instead of a binary file
wget https://github.com/securego/gosec/releases/download/vX.Y.Z/gosec_vX.Y.Z_OS.tar.gz

# The file will be in the current folder where you run

You can run the tool using a binary or using Docker. I'll show both cases to you.
Using binary you need to run into your root directory:

gosec *.go

Using docker, it needs more config, but it works well. In the readme the command is securego/gosec ./..., it didn't work to me, so I replaced ./... to projet-path

docker run -it -v $GOPATH/src/<YOUR PROJECT PATH>:/go/src/<YOUR PROJECT PATH> securego/gosec $GOPATH/src/<YOUR PROJECT PATH>

Even if you use go module, you need to use this format to run the tool.

that's all folks, I hope it can be useful to you =)

Posted on by:

renatosuero profile

Renato Suero

@renatosuero

I'm a 🇧🇷 software engineer living in 🇳🇱 who loves code, learn and share.

Discussion

markdown guide
 

Gosec is great!

Because you like gosec, you also may find the GitHub app GuardRails useful.

GuardRails leverages a bunch of security tools, such as gosec, and provides the scan results directly in a Pull Request comment.

Installation is easy, you just have to install the GuardRails GitHub app and select the repositories that you want to have covered.

Check it out :)

 

Great tool, I'll try =)
thank you

 

Cool, seems very useful! Thanks Renato.

You should add the following tag so it ends up in there:

#githunt

Interesting open source repos you've discovered and want to share with the community.